Vulnerabilities tied to jackson-databind-2.9.6.jar and jackson-databind-2.9.8.jar an AAI server

book

Article ID: 208511

calendar_today

Updated On:

Products

Automic Automation Intelligence

Issue/Introduction

Files below are causing vulnerability alerts on AAI 6.1.0 and later

/<Install Dir>/jboss/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main

jackson-databind-2.9.6.jar

jackson-databind-2.9.8.jar

Environment

Release : 6.0.1

Component : AUTOMIC AUTOMATION INTELLIGENCE ENGINE

Resolution

AAI 6.1.0 and later use the file version below

/<Install Dir>/jboss/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main
-rw-r--rw-. 1 root root 1348786 Feb  3 19:57 jackson-databind-2.9.10.3.jar
-rw-r--rw-. 1 root root    1493 Feb  3 19:57 module.xml

If you have this version of the file in place, that is all that is needed for AAI 6.1.0 and later.

Any older jackson-databind* files in that directory can safely be removed if you are on 6.1.0 and later.

 

You can verify the file version that is in use by looking at the module.xml file in that directory it only references the latest file.