http://coldfusion.com logo
#cfml-general
Title
# cfml-general
s

Scott Bennett

04/21/2022, 2:55 PM
There are many vulnerabilities (most notably CVE-2021-20190) showing up in a security scan that are related to /cfusion/lib/jackson-databind-2.8.8.jar (Adobe CF 2018 update 13). Is there any documentation on how to address that? I can't seem to find anything useful on google.
s

seancorfield

04/21/2022, 5:10 PM
The Jackson libs are very widely used and also a common CVE hotspot. Jackson 2.9.0 introduced some breaking behavior around the handling of JSON
null
and also changed the merging behavior in some cases, so updating beyond 2.8.x can be difficult depending on exactly how the app in question uses it.
It should be safe to update from 2.8.8 to 2.8.11 (2.8.11.6 in the case of databind) manually.
s

Scott Bennett

04/21/2022, 5:12 PM
is there a way of telling which cf functions/tags utilize that library so I could test the effects of upgrading it?
s

seancorfield

04/21/2022, 5:14 PM
Not really. @Mark Takata (Adobe) might be able to elaborate on exactly how/where ACF uses the various Jackson libraries. I suspect it's mostly in the REST API stuff but I'm guessing. If ACF were open-source, we could just look of course... 🙂
s

Scott Bennett

04/21/2022, 5:17 PM
@Mark Takata (Adobe) since it's part of the Adobe CF package, my company doesn't necessarily require me to fix it... If I just understand the risks, and maybe report it to Adobe, I could mark it as an accepted risk and just monitor Adobe's progress on mitigating it. However I couldn't find any official Adobe pages on it with my google searches either.
s

seancorfield

04/21/2022, 5:18 PM
We have one application stuck on 2.8.11 because it breaks in subtle ways if we move to 2.9.x or beyond. Most of our apps are on 2.10.2 right now but I'm trying to get rid of the dependency altogether where I can or move us to at least 2.11.4 (or, better, to 2.13.2 which is the current version).
m

Mark Takata (Adobe)

04/21/2022, 6:07 PM
I don't think there's an easy way to check exactly which library is being USED, but in CF2021 you could load a "light" CF instance using the CLI installer and then add some of the restful stuff and see when the libraries are added to the file system. I'll also ping the security team on whether we're looking at the Jackson library stuff as a potential security update or not.