Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Jackson's dependencies to address PRISMA-2023-0067 #23753

Merged
merged 1 commit into from
Dec 5, 2024
Merged

Upgrade Jackson's dependencies to address PRISMA-2023-0067 #23753

merged 1 commit into from
Dec 5, 2024

Conversation

Mariamalmesfer
Copy link
Contributor

@Mariamalmesfer Mariamalmesfer commented Oct 1, 2024
edited by tdcmeehan
Loading

Description

This PR upgrades Jackson dependencies to version 2.15.4, addressing the security vulnerabilities identified in PRISMA-2023-0067.

Motivation and Context

Reasons for upgradation:
The upgrade to Jackson 2.15.4 resolves multiple critical security vulnerabilities, including a Denial of Service (DoS) vulnerability in jackson-core, caused by improper input validation during numeric type conversions. This update ensures enhanced security and system stability.

Impact

Image Scan showed the vulnerability have been removed.
Image scan report :
Image-scan-report-9 Sep.csv

Test Plan

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

 == RELEASE NOTES == =

Security Changes
* Upgrade Jackson dependencies to 2.15.4 in response to `PRISMA-2023-0067 <https://www.ibm.com/support/pages/security-bulletin-vulnerability-jackson-core-might-affect-ibm-business-automation-workflow-prisma-2023-0067>`_. :pr:`23753`

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Oct 1, 2024
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: Mariamalmesfer / name: Mariam AlMesfer (fd9be63)

@Mariamalmesfer Mariamalmesfer marked this pull request as ready for review October 1, 2024 09:20
elharo
elharo reviewed Oct 1, 2024
View reviewed changes
Copy link
Contributor

@elharo elharo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not a later version like 2.17.1?

@elharo elharo changed the title Fix PRISMA-2023-0067 upgrade jackson core to 2.0.15 Fix PRISMA-2023-0067 upgrade jackson core to 2.15.0 Oct 1, 2024
@elharo
Copy link
Contributor

elharo commented Oct 1, 2024

I know @steveburnett disagrees with me about this, but I really don't think we should be including dependency upgrades in the release notes.

@elharo
Copy link
Contributor

elharo commented Oct 1, 2024

Looks like the most recent version is 2.18.0

@Mariamalmesfer
Copy link
Contributor Author

Looks like the most recent version is 2.18.0

The CVS scan suggests upgrading to version 2.15.0, as that's where the vulnerability was fixed. But if we want the latest updates, we can go with 2.18.0. Let me know your preference

elharo
elharo previously approved these changes Oct 4, 2024
View reviewed changes
Copy link
Contributor

@elharo elharo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to go to the latest (honestly I'd prefer not to depend on jackson at all) but this is still an improvement.

@agrawalreetika
Copy link
Member

@Mariamalmesfer @elharo Maybe we can update to the one version before the very latest which is 2.17.2 what do you think?

@sumi-mathew sumi-mathew mentioned this pull request Oct 7, 2024
Closed
6 tasks
@Mariamalmesfer
Copy link
Contributor Author

@Mariamalmesfer @elharo Maybe we can update to the one version before the very latest which is 2.17.2 what do you think?

Sounds good to me. We can go with 2.17.2 if that works for everyone.
cc: @elharo

@Mariamalmesfer Mariamalmesfer force-pushed the jackson-core-fix branch 3 times, most recently from 6531651 to 840291d Compare October 7, 2024 11:54
@elharo elharo changed the title Fix PRISMA-2023-0067 upgrade jackson core to 2.15.0 Fix PRISMA-2023-0067 upgrade jackson core to 2.17.2 Oct 7, 2024
elharo
elharo reviewed Oct 7, 2024
View reviewed changes
pom.xml Outdated Show resolved Hide resolved
@tdcmeehan tdcmeehan self-assigned this Oct 7, 2024
@steveburnett
Copy link
Contributor

Please update the release note entry to the version being updated to. For example

 == RELEASE NOTES == =

Security Changes
* Upgrade Jackson-core to 2.17.2 :pr:`#23753`

@elharo
Copy link
Contributor

elharo commented Oct 10, 2024

I prefer 2.18.0 but I'm not sure others agree with this. Don't overthink it. Either 2.17.2 or 2.18 is better than what we have now.

@Mariamalmesfer Mariamalmesfer force-pushed the jackson-core-fix branch 4 times, most recently from ae11203 to 74b39c6 Compare November 27, 2024 17:56
agrawalreetika
agrawalreetika reviewed Nov 28, 2024
View reviewed changes
pom.xml Outdated Show resolved Hide resolved
presto-bigquery/pom.xml Show resolved Hide resolved
@Mariamalmesfer Mariamalmesfer force-pushed the jackson-core-fix branch 6 times, most recently from 3ef9dcd to 1961e6c Compare November 28, 2024 10:41
agrawalreetika
agrawalreetika previously approved these changes Nov 28, 2024
View reviewed changes
Copy link
Member

@agrawalreetika agrawalreetika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
I think the entry in release note should be changed since you are not just upgrading jackson-core here
cc @steveburnett

@Mariamalmesfer Mariamalmesfer changed the title Fix PRISMA-2023-0067 upgrade jackson core to 2.15.4 Upgrade Jackson's dependencies to address PRISMA-2023-0067 Dec 2, 2024
@steveburnett
Copy link
Contributor

LGTM I think the entry in release note should be changed since you are not just upgrading jackson-core here cc @steveburnett

I agree @agrawalreetika, thank you!

@Mariamalmesfer , please update the release note entry to describe the other changes you are making. Also, please include at least one of the CVEs addressed by this PR. For formatting of the link to the CVE, see the example in Phrasing in the Release Note Guidelines. Thanks!

@Mariamalmesfer Mariamalmesfer force-pushed the jackson-core-fix branch 3 times, most recently from 0918047 to a25f1c7 Compare December 3, 2024 17:51
@steveburnett
Copy link
Contributor

two nits in the release note entry, looks good otherwise. Suggested edits below:

== RELEASE NOTES == =

Security Changes

  • Upgrade Jackson dependencies to 2.15.4 in response to PRISMA-2023-0067 <https://www.ibm.com/support/pages/security-bulletin-vulnerability-jackson-core-might-affect-ibm-business-automation-workflow-prisma-2023-0067>_. :pr:23753

tdcmeehan
tdcmeehan reviewed Dec 4, 2024
View reviewed changes
Copy link
Contributor

@tdcmeehan tdcmeehan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one last nit, otherwise looks good.

pom.xml Outdated Show resolved Hide resolved
@Mariamalmesfer
Upgrade Jackson & its dependencies to resolve CVEs
fd9be63 
If applied, this will:
Upgrade Jackson Core, Databind, and other dependencies to version 2.15.4.
Address security vulnerabilities, including PRISMA-2023-0067.
@steveburnett
Copy link
Contributor

Thanks for the release note entry update! Some minor nits of formatting in the release note entry - my bad, I should have put ``` before and after the draft in my previous comment to display the single `s in the draft.

 == RELEASE NOTES == =

Security Changes
* Upgrade Jackson dependencies to 2.15.4 in response to `PRISMA-2023-0067 <https://www.ibm.com/support/pages/security-bulletin-vulnerability-jackson-core-might-affect-ibm-business-automation-workflow-prisma-2023-0067>`_. :pr:`23753`

@Mariamalmesfer
Copy link
Contributor Author

Thanks for the release note entry update! Some minor nits of formatting in the release note entry - my bad, I should have put ``` before and after the draft in my previous comment to display the single `s in the draft.

 == RELEASE NOTES == =

Security Changes
* Upgrade Jackson dependencies to 2.15.4 in response to `PRISMA-2023-0067 <https://www.ibm.com/support/pages/security-bulletin-vulnerability-jackson-core-might-affect-ibm-business-automation-workflow-prisma-2023-0067>`_. :pr:`23753`

Thank you @steveburnett!

@tdcmeehan tdcmeehan merged commit ed176b9 into prestodb:master Dec 5, 2024
57 checks passed
@Mariamalmesfer Mariamalmesfer mentioned this pull request Dec 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@agrawalreetika agrawalreetika agrawalreetika left review comments

@shangxinli shangxinli Awaiting requested review from shangxinli

@jaystarshot jaystarshot Awaiting requested review from jaystarshot

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@steveburnett steveburnett Awaiting requested review from steveburnett

@hantangwangd hantangwangd Awaiting requested review from hantangwangd hantangwangd is a code owner

@ZacBlanco ZacBlanco Awaiting requested review from ZacBlanco ZacBlanco is a code owner

@sdruzkin sdruzkin Awaiting requested review from sdruzkin

@shrinidhijoshi shrinidhijoshi Awaiting requested review from shrinidhijoshi

@feilong-liu feilong-liu Awaiting requested review from feilong-liu

@ClarenceThreepwood ClarenceThreepwood Awaiting requested review from ClarenceThreepwood

@yhwang yhwang Awaiting requested review from yhwang

@elharo elharo Awaiting requested review from elharo

@vinothchandar vinothchandar Awaiting requested review from vinothchandar vinothchandar is a code owner

@7c00 7c00 Awaiting requested review from 7c00 7c00 is a code owner

Assignees

@tdcmeehan tdcmeehan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Mariamalmesfer @elharo @agrawalreetika @steveburnett @tdcmeehan