Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump jackson-core and logging-interceptor versions #25

Merged
merged 1 commit into from
Dec 13, 2023
Merged

Bump jackson-core and logging-interceptor versions #25

merged 1 commit into from
Dec 13, 2023

Conversation

LevBernstein
Copy link
Contributor

Description

Older versions of jackson-databind (part of jackson-core) and logging-interceptor are vulnerable to a variety of OWASP-acknowledged exploits, including CVE-2023-35116, CVE-2022-42004, CVE-2021-46877, and CVE-2023-0833. Both of those libraries are leveraged by duo_universal_java. This MR upgrades the dependencies to versions without those vulnerabilities.

I acknowledge that the security policy stipulates that vulnerabilities should be reported to Duo first; however, as this is an acknowledged (and patched) vulnerability in dependencies rather than the project's source code itself, I am simply opening an MR. Doing otherwise after I realized this issue exists would be security through obscurity, rather than actually solving the problem. Better to get this fixed ASAP.

Motivation and Context

duo_universal_java is currently open to a variety of exploits, including resource exhaustion, DOS, and XXE attacks. That is concerning. As a user (and enjoyer) of this project, I'd like to patch those vulnerabilities with this MR.

How Has This Been Tested?

All currently extant unit tests passed; beyond that, my ability to test is limited.

Types of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

@AaronAtDuo
Copy link
Contributor

@LevBernstein Thank you for this PR. We definitely want to get vulnerable libraries updated. We do have dependabot monitoring this library, I'm curious why it didn't catch this....

This looks good to me and as soon as CI passes I'll get this merged.

@AaronAtDuo AaronAtDuo merged commit 6cfcfd2 into duosecurity:main Dec 13, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants