jar包升级之解决方案 jackson-mapper-asl

项目背景: 应要求项目进行jar包升级,扫描到的jackson-mapper-asl-1.9.6.jar 具有高危漏洞
CVE-2018-14718 ==> cve详情

描述: 2.9.7 之前的 FasterXML jackson-databind 2.x 可能允许远程攻击者通过利用失败来阻止 slf4j-ext 类进行多态反序列化来执行任意代码。

当前项目使用的依赖是jackson-mapper-asl-1.9.6.jar

查阅mvnrepository官网依赖可知其最新的更新版本是1.9.13 而上文提到的是 jackson-databaind 两者artifactId 都对应不上,推测jackson-mapper-asl 迁移到了 jackson-databaind.

打开jackson-mapper-asl的mvn官网地址发现确实已经迁移到了jackson-databind

此时我们只需要剔除jackson-mapper-asl的依赖,并加入迁移后的指定版本的依赖即可:



    com.fasterxml.jackson.core
    jackson-databind
    2.13.0

而用idea去在项目中查询时却并未发现jackson-mapper-asl,那他是怎么引进来的呢,继续探索发现:

项目中引入了jackson-jaxrs,而他依赖于jackson-mapper-asl;

于是点开jackson-jaxrs mvn地址发现它也前移到了 jackson-jaxrs-json-provider

查看最新版本引用的jackson-databind版本发现是想要的

直接在项目中引入即可

        
            com.fasterxml.jackson.jaxrs
            jackson-jaxrs-json-provider
            2.13.0

最后启动项目发现报错:

21:29:36.854 - WARN [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext:551] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionManage': Cannot create inner bean 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c' of type [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c': Failed to introspect bean class [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] for lookup method metadata: could not find class that it depends on; nested exception is java.lang.NoClassDefFoundError: org/codehaus/jackson/map/JsonMappingException
21:29:36.866 - ERROR [org.springframework.boot.SpringApplication:771] - Application startup failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionManage': Cannot create inner bean 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c' of type [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c': Failed to introspect bean class [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] for lookup method metadata: could not find class that it depends on; nested exception is java.lang.NoClassDefFoundError: org/codehaus/jackson/map/JsonMappingException
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)

点开对应的配置文件,是配置的javaBean找不到了

联想到jackson-databind迁移以后权限定类名的改变

打开jackson-databind的包找到对应的JacksonJaxbJsonProvider类的全限定类名复制粘贴替换即可

jar包升级之解决方案 jackson-mapper-asl

你可能感兴趣的:(mavenjar安全)