Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-14589

camunda-spin-dataformat-all 1.14.1 JAR gives Twistlock scan errors and blocks deployment

    XMLWordPrintable

Details

    • Bug Report
    • Resolution: Duplicate
    • L3 - Default
    • None
    • None
    • archetypes
    • None

    Description

      Environment (Required on creation): MODEL and PROD

      Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket): 

      Twistlock scan error from camunda-spin-dataformat-all  blocks deployment of our application to MODEL and PROD environments. We have the below mentioned Camunda JARS (all updated to the highest versions available) in our application.

       

      Artifact Highest Version Available in Maven Central Version Used in Application
      camunda-engine-plugin-spin 7.17.0 7.17.0
      camunda-spin-core 1.14.1 1.14.1
      camunda-spin-dataformat-all 1.14.1 1.14.1
      camunda-bpm-spring-boot-starter-rest 7.17.0 7.17.0

      We have decompiled all the jars related to camunda and found jackson-databind from camunda-spin-dataformat-all artifact.(Screenshot attached)

      Steps to reproduce (Required on creation):

      Execute Twistlock scan on a Springboot-Camunda project with the above mentioned JAR files.

      Observed Behavior (Required on creation):

      Getting the below mentioned Twistlock scan error(CVE-2020-36518) from com.fasterxml.jackson.core_jackson-databindincluded in camunda-spin-dataformat-all artifact.

       

      Issue Link Description Severity Status Package Name
      CVE-2020-36518 https://nvd.nist.gov/vuln/detail/CVE-2020-36518 DOCUMENTATION: The MITRE CVE dictionary describes this issue as: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. high fixed in 2.12.6.1, 2.13.2.1 com.fasterxml.jackson.core_jackson-databind

      Expected behavior (Required on creation):

      No Twistlock error should be thrown

      Root Cause (Required on prioritization):

      jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

      Solution Ideas (Optional):

      Release upgraded version of camunda-spin-dataformat-all artifact with co m.fasterxml.jackson.core_jackson-databind version  2.13.2.1

       

      Hints (optional):

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Issue Links

            duplicates

            Task - A task that needs to be done. CAM-14504 Update jackson-databind to >= 2.13.2.1/2.12.6.1

            • L3 - Default - Minor issue or issue with existing workaround, feature requests and questions
            • Closed

            Activity

              People

                Unassigned Unassigned
                aparna3012 Aparna R
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Salesforce