Updated jackson-databind version to 2.9.9.2

[mibo]

Updated jackson-databind version to 2.9.9.2 which contains fix for:

• CVE-2019-14379
• CVE-2019-14361 / CVE-2019-14439

[mibo]

In addition a new release after merge would be great 🙂

[mibo]

Can I support in any way?

[scottfrederick]

@mibo Is there evidence to suggest that either of these CVEs is likely to impact the Connectors usage of Jackson? The shaded version of Jackson in Connectors is only used to parse VCAP_SERVICES, and it seems unlikely to me that a VCAP_SERVICES payload would contain serialized objects of the types that are excluded in Jackson 2.9.9.2.

I can merge this PR, but I'm hesitant to do a Connectors release for every Jackson version that gets released, as this happens pretty frequently.

Is there something else that is driving the urgency of this?

Note that this project is in maintenance mode. While we will continue to address security-related issues, releases will generally be less frequent than they have been in the past.

[mibo]

I can completely understand your point.

Our issue is that we do regular security scans and update vulnerable versions (like jackson-databind).
Because this is re-bundled in the connectors (instead as a transitive dependency) we would like to have new releases.
However after I took a deeper look into those CVEs (based on this Blog article) you are right that the connectors should not be affected.
The only use of the ObjectMapper is in the CloudFoundryConnector and there the “Default Typing” is not enabled (via e.g. objectMapper.enableDefaultTyping()).
Can you confirm this please?

Nevertheless we would be happy about a new release 🙂
And in parallel we check our security processes to be (more) independent from your releases.

[scottfrederick]

Our issue is that we do regular security scans

I was afraid that was the case :-).

The only use of the ObjectMapper is in the CloudFoundryConnector and there the “Default Typing” is not enabled (via e.g. objectMapper.enableDefaultTyping()).
Can you confirm this please?

I concur.

I'll merge the change, but I'd like to wait a while for the release to make sure we don't get another Jackson version bump in the near future (as often happens, it seems).

I recommend looking into the Java CfEnv project mentioned about as a replacement for Connectors. It is a much smaller library, with far fewer dependencies (and no shaded Jackson libs), that delegates most of the work to Spring Boot auto-configuration libs.

[mibo]

Our issue is that we do regular security scans

I was afraid that was the case :-).

Sorry for that 🙃

The only...
Can you confirm this please?

I concur.

Thanks for confirmation.

I'll merge the change, ....

Thanks and I really appreciate this....

...but I'd like to wait a while for the release to make sure we don't get another Jackson version bump in the near future (as often happens, it seems).

...and this is fine for me and as written we also look for better solution in the future.

I recommend looking into the Java CfEnv project...

We also recommended this to our colleagues. However for some it seems to be not that easy.
But still we try to convince them 🙂