CVE-2018-1000873 via Jackson 2.8.11

[GFriedrich]

Hi,
the Spring Boot 1.5.x are currently vulnerable for CVE-2018-1000873 via Jackson 2.8.11.
I've already raised the issue for the Spring framework itself (see https://jira.spring.io/browse/SPR-17656), but as Spring Boot is kind of independent, I wanted to mention this issue here, too.
Do you think it would be possible to release a new version of Spring Boot 1.5 using the fixed version of Jackson 2.9.8
Thanks in advance for your help.

[bclozel]

Hi @GFriedrich

The Spring Framework team is currently migrating to GitHub issues, so you won't be getting an answer there - you'll get it on the issue once it's migrated. But in general, Spring Framework is not enforcing a particular dependency version and is only compiling against optional dependencies. There's no point in releasing a new Spring Framework version for that. Spring Framework does mention Jackson 2.9 support in its 4.3 line, so you should be safe using it.

On the Spring Boot side, we don't upgrade dependencies to new major versions in our maintenance cycle, so upgrading to Jackson 2.9 on that branch is not possible. Jackson maintainers won't be backporting this fix to the 2.8 branch, there's nothing we can do about that.

Note that Spring Boot 1.5.x imports the Jackson BOM but does not depend on the jackson-modules-java8, which contains the bug. So Spring Boot is not out-of-the-box depending on that through the published starters.

The best course of action from here is to check whether your application is depending on jackson-modules-java8 and in that case override the dependency version with <jackson.version>2.9.8</jackson.version> in your maven pom. I've tried that setup with a sample application.

Even better, you should try upgrading your application to 2.0.x/2.1.x since the 1.5.x branch is already in maintenance mode and will be EOL this summer.

Thanks,

[GFriedrich]

Hi @bclozel,

thank you for your detailed explanation.

The Spring Framework team started with the migration a few minutes after I had created my ticket, so I guess this was just bad luck. But thanks for confirming my assumption that I can safely update Jackson for the Spring Framework itself.

In regards to Spring Boot: I know that Spring Boot doesn't use jackson-modules-java8 - nevertheless it uses jackson-databind (e.g. via spring-boot-actuator) and I can't update the one without the other. So the question would be whether I can safely use the newer version for them. I also understand that you don't want to update to a new major version for Jackson, but if they use semantic versioning correctly, that would be "just" a minor version update.

And yes, I could update to Spring Boot 2 / Spring 5, but this is not easily done for my projects and I need a faster solution than that. And due to the fact that Spring Boot 1.5 is still in maintance mode, I thought you would at least update those libraries that contain vulnerabilities.

Regards

[bclozel]

As I said in my last comment, if your app is using that dependency, overriding that version is the best course of action. Did you try that in your application and run integration tests?

The dependency management is a convenience and a guarantee, but not a strict requirement - you're allowed to override dependency versions as long as things are compatible. As a general rule, we don’t upgrade to a new minor version of a dependency in a maintenance release, for both compatibility and stability reasons.

If we did that, upgrading to a Spring Boot maintenance release could exhibit important, unexpected behavior changes.