Security Scans report version of Jackson Databind in Module ingest-geoip as being vulnerable

[centic9]

Elasticsearch version (bin/elasticsearch --version): 6.8 (but likely also 6.2, ... 7.x, 8.x, master, ...)

Plugins installed: [default]

JVM version (java -version): N/A

OS version (uname -a if on a Unix-like system): N/A

Description of the problem including expected versus actual behavior:

Security scans of our deployment bring up old versions of jackson-databind being used in module ingest-geoip.

Related vulnerabilities:

• CVE-2018-14721 (high)
• CVE-2018-19361 (high)
• CVE-2018-14719 (high)
• CVE-2018-14720 (high)
• CVE-2018-19362 (high)
• CVE-2018-19360 (high)

Version of jackson-databind which is reported as vulnerable: version 2.8.11.3

This version is still used by the latest version of the ingest-geoip module, see https://github.com/elastic/elasticsearch/blob/master/modules/ingest-geoip/build.gradle#L30

The version to have fixes is 2.9.8: https://github.com/FasterXML/jackson-databind/blob/affb3e85efd047377f8035ed67817822e79fe3be/release-notes/VERSION-2.x#L116, latest is 2.9.9.2.

I did not check if the module is actually vulnerable, but please update to a version that does not have known vulnerabilities nevertheless to silence such security scan reports.

[elasticmachine]

Pinging @elastic/es-core-features

[elasticmachine]

Pinging @elastic/es-core-infra

[rursprung]

this is still/again relevant, though it has been updated in the meantime.

this affects all releases: the dependency to jackson-databind is on an outdated version which contains known security problems.

on master it currently points to 2.8.11.4: https://github.com/elastic/elasticsearch/blob/master/buildSrc/version.properties#L14

the current 2.8.x release of jackson-databind is 2.8.11.6: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.8
please at least update to that.

however, please also note that 2.8 is officially no longer supported, their current releases are 2.9 (maintenance only) and 2.10 (open, full support): https://github.com/FasterXML/jackson/wiki/Jackson-Releases

depending on whether you can easily directly update to 2.10 also on your fixpacks i'd suggest that you might first update to 2.8.11.6 and cherry-pick that to all supported ES releases and then upgrade to 2.10 on master.

please note that this vulnerable dependency causes a security finding for us and prevents us from rolling out ES. others seem to have the same problem (see #53335 & #51650).

please don't close this issue with the comment that this should be send to [email protected]: this is not some new 0-day in your code, this is something which any dependency-scanning software will tell you, including free online services. this can be addressed like any normal bug and it can be fixed by anyone, not just security people.

[jasontedor]

this affects all releases: the dependency to jackson-databind is on an outdated version which contains known security problems.

I want to stress, which we have in a few places, that we are not exposed to any of the reported security issues. We understand that they cause problems for scanners, but from a security perspective, there is no issue exposed in Elasticsearch. We will investigate upgrading the dependencies. Tactically we will try upgrading to the 2.8.11.6 in our current release branches, and separately, investigate whether or not we can upgrade to the 2.10 series. In the past, there were serious performance regressions in the 2.9 and 2.10 series, so we will have to proceed more carefully here.