search cancel

Vulnerability in net.minidev_json-smart

book

Article ID: 241485

calendar_today

Updated On:

Products

Workload Automation Agent

Issue/Introduction

The Twistlock scanner used at Nationwide has reported that the jar file net.minidev_json-smart from our ESP docker image has a critical vulnerability.  It looks like moving from version 2.3 to 2.3.1 will resolve the issue.  Two questions.  Should we just patch it ourselves?  Does Broadcom feel it would break anything moving to the newer version?

It is the image we use to install an ESP agent on Kubernetes pods.

Environment

Release : 12.0

Component : Workload Automation System Agent

Resolution

json-smart.jar is specifically used by appservice webservice plugin.

If you don't use/enable this plugin, you can remove the json-smart.jar manually. 
That should not cause any issue.

Otherwise, you can update the jar but you need to update the dependent jars as well.
net.minidev:json-smart has dependency on net.minidev:accessors-smart
Both jars can be updated to 2.3.1 version.