question

Hemant.Rumde_183868 avatar image
Hemant.Rumde_183868 asked smadhavan commented

DSE includes a version of Jackson-databind package identified as vulnerable to RCE in CVE-2020-8840

DSE jar is using Jackson-databind library. Twistlock informed critical vulnerabilities for the Jackson-databind version used in DSE. I tried to use different version by dependency in pom.xml

However DSE is not using the secured version suggested by twistlock report. Is it tightly coupled with the older version? This critical vulnerability is blocking deployment in K8S cluster.

I tried following dependencies

<dependency>
  <groupId>com.datastax.oss</groupId>
  <artifactId>java-driver-core</artifactId>
  <version>4.7.2</version>
</dependency>
<dependency>
  <groupId>com.datastax.dse</groupId>
  <artifactId>dse-java-driver-graph</artifactId>
  <version>1.9.0</version>
</dependency>
<dependency>
  <groupId>io.dropwizard.metrics</groupId>
  <artifactId>metrics-core</artifactId>
  <version>3.2.2</version>
</dependency>

Can you provide us pom dependencies to remove existing vulnerabilities?

dsecass-operatorcve
1 comment
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

smadhavan avatar image smadhavan ♦ commented ·

@Hemant.Rumde_183868, one other thing to note is when you're leveraging the Unified Java Driver,

com.datastax.oss
  java-driver-core
  4.7.2

you should not be needing to add any other dependencies like as below as it is already included part of the Unified Java Driver,

com.datastax.dse
  dse-java-driver-graph
  1.9.0
0 Likes 0 ·

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered Erick Ramirez edited

Background

DataStax Enterprise ships with the Jackson databind package -- a general-purpose data-binding functionality and tree-model for the Jackson Data Processor.

The latest version DSE 6.8.1 (at the time of writing) ships with Jackson databind v2.9.10.2 (jackson-databind-2.9.10.2.jar) which has been flagged as vulnerable to remote code execution (RCE) as disclosed in the National Vulnerability Database (NVD) as vulnerability CVE-2020-8840.

Patched releases

The Jackson databind project patched issue #2620 to address the vulnerability in version 2.9.10.3.

The next planned release of DSE 6.8 is tabled to ship with Jackson databind version 2.9.10.4 (internal DataStax ID DSP-20981).

Resolution

I have noted that you already engaged DataStax Support directly and our engineers will provide you the relevant updates. Specifically on your question, updating the pom.xml is not relevant since the dependency is internal to DSE. The update will be provided in the next release of DSE 6.8.

For the benefit of other Community members watching this post, I will provide an update when a new version of DSE 6.8 gets released in the coming weeks. We are not in a position to provide an ETA at this point. Cheers!

Share
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.