Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-14589

camunda-spin-dataformat-all 1.14.1 JAR gives Twistlock scan errors and blocks deployment

XMLWordPrintable

    • Icon: Bug Report Bug Report
    • Resolution: Duplicate
    • Icon: L3 - Default L3 - Default
    • None
    • None
    • archetypes
    • None

      Environment (Required on creation): MODEL and PROD

      Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket): 

      Twistlock scan error from camunda-spin-dataformat-all  blocks deployment of our application to MODEL and PROD environments. We have the below mentioned Camunda JARS (all updated to the highest versions available) in our application.

       

      Artifact Highest Version Available in Maven Central Version Used in Application
      camunda-engine-plugin-spin 7.17.0 7.17.0
      camunda-spin-core 1.14.1 1.14.1
      camunda-spin-dataformat-all 1.14.1 1.14.1
      camunda-bpm-spring-boot-starter-rest 7.17.0 7.17.0

      We have decompiled all the jars related to camunda and found jackson-databind from camunda-spin-dataformat-all artifact.(Screenshot attached)

      Steps to reproduce (Required on creation):

      Execute Twistlock scan on a Springboot-Camunda project with the above mentioned JAR files.

      Observed Behavior (Required on creation):

      Getting the below mentioned Twistlock scan error(CVE-2020-36518) from com.fasterxml.jackson.core_jackson-databindincluded in camunda-spin-dataformat-all artifact.

       

      Issue Link Description Severity Status Package Name
      CVE-2020-36518 https://nvd.nist.gov/vuln/detail/CVE-2020-36518 DOCUMENTATION: The MITRE CVE dictionary describes this issue as: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. high fixed in 2.12.6.1, 2.13.2.1 com.fasterxml.jackson.core_jackson-databind

      Expected behavior (Required on creation):

      No Twistlock error should be thrown

      Root Cause (Required on prioritization):

      jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

      Solution Ideas (Optional):

      Release upgraded version of camunda-spin-dataformat-all artifact with co m.fasterxml.jackson.core_jackson-databind version  2.13.2.1

       

      Hints (optional):

        This is the controller panel for Smart Panels app

          1. DecompileCamundaJARs.png
            DecompileCamundaJARs.png
            56 kB

              Unassigned Unassigned
              aparna3012 Aparna R
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: