Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Presto JDBC driver needs to upgrade Jackson libraries to 2.16.0 due to various CVE's #21717

Open
dqmdev opened this issue Jan 17, 2024 · 1 comment
Open

Presto JDBC driver needs to upgrade Jackson libraries to 2.16.0 due to various CVE's #21717

dqmdev opened this issue Jan 17, 2024 · 1 comment
Labels
bug

Comments

@dqmdev
Copy link

dqmdev commented Jan 17, 2024

Latest Presto JDBC driver (0.285) appears to still be using Jackson 2.10, which is old.

There are several well-publicized CVE's against this version of Jackson, notably:

  1. com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS).
    PRISMA-2023-0067
    Add numeric value size limits via StreamReadConstraints (fixes sonatype-2022-6438) -- default 1000 chars FasterXML/jackson-core#827
    PRISMA-2023-0068
    Trim tokens in error messages to 256 byte to prevent attacks FasterXML/jackson-core#322
    PRISMA-2023-0069
    OutOfMemoryError when writing BigDecimal FasterXML/jackson-core#315

  2. CVE-2023-35116: jackson-databind is vulnerable to denial of service, fixed in Jackson 2.16.0
    https://nvd.nist.gov/vuln/detail/CVE-2023-35116
@dqmdev dqmdev added the bug label Jan 17, 2024
@alileclerc
Copy link

hi @dqmdev - we'd be happy for you to open up a PR if you'd like to work on this and contribute it back to the community.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Bugs and support requests
Status: 🆕 Unprioritized
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alileclerc @dqmdev