Has CVE-2018-1000873 been fixed in Jackson 2.x? [clue: yes!]

[mldz100820]

Please, has CVE-2018-1000873 been repaired in Jackson 2.10.0?
In addition, when can the official version of Jackson 2.10.0 be downloaded at https://mvnrepository.com/?
Thank you in advance.

[cowtowncoder]

I don't know what CVE-2018-1000873 is without looking. It would be good to link to it, and/or explain briefly what it is. I'll have a look.

[cowtowncoder]

@mldz100820 Did you actually read the description at https://nvd.nist.gov/vuln/detail/CVE-2018-1000873 ? It says:

This vulnerability appears to have been fixed in 2.9.8.

Further, there is Jackson issue filed for this although on different repo:

FasterXML/jackson-modules-java8#90

which makes as per what CVE says.

[mldz100820]

Thank you for your reply ！ Actually, I've read this already.
The security bug is in InstantDeserializer and DurationDeserializer of the jackson-datatype-jsr310 artifact:
But I didn't use jackson-datatype-jsr310 ,I only used jackson-databind-2.9.8 in my project
but in Black Duck Binary Analysis still scans CVE-2018-1000873。
Is there a dependency between jackson-databind-2.9.8 and Jackson-jsr310?
@cowtowncoder

[cowtowncoder]

@mldz100820 Jackson-jsr310 has a dependency on databind yes. But specific CVE only affects Instant/Duration handling as fully implemented by jsr310 module -- without it, databind would attempt to deal with them as POJOs and that would not trigger issue (also would not work very well for any use).

Security analysis tools appears to be crocks full of shite (as Kurt Vonnegut would put it), in general for they do not have enough context, knowledge, and authors do not have to care about accuracy. Money is brought in by people with good intentions who assume that tools know what they are doing :-p
I know that does not help us very much knowing that, if we are still negatively affected by false positives. But at least it is good to acknowledge that tooling as it is today has low value proposition.