[prev in list] [next in list] [prev in thread] [next in thread]
List: vdsm-devel
Subject: =?utf-8?q?=5Bovirt-devel=5D?= Re: Jackson-databind related changes
From: Martin Perina <mperina () redhat ! com>
Date: 2023-09-15 7:55:46
Message-ID: CAP5iht7=HxS-mzZ1ZjuMWOG7cxeSwtt18qRviit9mNkCBjg45Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
oVirt Engine is using JBoss Modules feature to load libraries, so when a
library version is mentioned in pom.xml it's unrelated to which version is
being using during runtime. Here's the detailed description:
1. jackson-databind 2.12.7 mentioned pom.xml is actually being used only
when building the project directly with maven (development purposes)
https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/pom.xml.in#L61
https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/client/pom.xml.in
2. When building the project as a part of RPM build, then maven
(respectively xmvn) is invoked to use only libraries installed locally as a
part of RPM dependencies
https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/vdsm-jsonrpc-java.spec.in#L46
So on CS8 we can easily find out the jackson-databind package version
being used during RPM build
# dnf repoquery --whatprovides 'jackson-databind >= 2.10.0'
jackson-databind-0:2.10.0-1.module_el8.4.0+595+e59c9af2.noarch
jackson-databind-0:2.10.0-1.module_el8.4.0+782+1d1c31a0.noarch
3. On runtime vdsm-jsonrpc-java is being loaded using JBoss Modules as a
part of oVirt Engine:
https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/dependencies/common/src/main/modules/org/ovirt/vdsm-jsonrpc-java/main/module.xml
which shows that vdsm-jsonrpc-java depends on
com.fasterxml.jackson.core.jackson-databind module, which is included in
the relevant WildFly release.
Currently oVirt Engine is using WildFly 24.0.1, so you can see
jackson-databind version using following command:
# rpm -ql ovirt-engine-wildfly | grep 'jackson-databind-'
/usr/share/ovirt-engine-wildfly/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.12.3.jar
So if you want to bump jackson-databind version for oVirt Engine runtime
you have two possibilities:
1. You can deliver updated JBoss module as a part of
ovirt-engine-wildfly-overlay RPM:
https://github.com/oVirt/ovirt-engine-wildfly/overlay
2. You can try to bump WildFly to latest version in ovirt-engine-wildfly
RPM: https://github.com/oVirt/ovirt-engine-wildfly/
Please be awate that at the moment it's not possible to use latest
WildFly version, because oVirt Engine is using classic security model,
which was removed in favor of Elytron in WildFly 25.
So to bump WildFly version, you would need to implement changes in oVirt
Engine to use Elytron.
Regarding verification the best way is to verify functionality by execution
of oVirt System Tests: https://github.com/ovirt/ovirt-system-tests
Regards,
Martin
On Thu, Sep 14, 2023 at 11:44 PM Shubha Kulkarni <shubha.kulkarni@oracle.com>
wrote:
> Hi All
>
>
>
> I am yet to get any feedback on my query. So I thought I will reach out
> again to see if any one has comment on this -
>
>
>
> Background:
>
> I see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson
> version to 2.12.7
>
>
> https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b308dac896ded645a7
>
> This change in only made in pom.xml is made with "default" scope (i.e
> compile).
>
>
>
> Queries:
>
> #1. So at runtime, that means this jar should be explicitly packaged
> somewhere else. I am wondering how is this newer jackson jar is picked up?
> Does it have anything to do with the change outside pom.xml that I don't
> see?
>
>
>
> #2. Ideally, I would like to verify that vdsm-jsonrpc-java application is
> using jackson-core2.12.7 and jackson-databaind 2.12.7-1 when installed on
> engine system. What is the best way to do it?
>
>
>
> Thanks
>
>
>
> *From:* Shubha Kulkarni
> *Sent:* Thursday, September 7, 2023 1:47 PM
> *To:* devel@ovirt.org
> *Subject:* Jackson-databind related changes
>
>
>
> Hello!
>
>
>
> There have been changes added to ovirt-engine and vdsm-jsonrpc-java repos
> to address security vulnerabilities in jackson-databind package. I see that
> the change is made to bump up version of jackson-databind package to
> 2.12.7.1.
>
> I am wondering what is the rpm version for ovirt-engine and
> vdsm-jsonrpc-java that has these fixes? Also, I am curious what is the best
> way to validate these changes?
>
>
>
> Thanks,
>
> Shubha
> _______________________________________________
> Devel mailing list -- devel@ovirt.org
> To unsubscribe send an email to devel-leave@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/UDIWOPJMWDCRB53I7P7H2YA7MUEY3QMX/
>
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
[Attachment #5 (text/html)]
<div dir="ltr"><div dir="ltr"><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif">Hi,</div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif">oVirt Engine is using JBoss Modules \
feature to load libraries, so when a library version is mentioned in pom.xml it's \
unrelated to which version is being using during runtime. Here's the detailed \
description:</div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif">1. jackson-databind 2.12.7 mentioned \
pom.xml is actually being used only when building the project directly with maven \
(development purposes)</div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif"> <a \
href="https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/pom.xml.in#L61">https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/pom.xml.in#L61</a></div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif"> \
<a href="https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/client/pom.xml.in">htt \
ps://github.com/oVirt/vdsm-jsonrpc-java/blob/master/client/pom.xml.in</a></div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif">2. When building \
the project as a part of RPM build, then maven (respectively xmvn) is invoked to use \
only libraries installed locally as a part of RPM dependencies</div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif"> \
<a href="https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/vdsm-jsonrpc-java.spec \
.in#L46">https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/vdsm-jsonrpc-java.spec.in#L46</a></div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif"> So on CS8 \
we can easily find out the jackson-databind package version being used during RPM \
build</div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif"><span style="font-family:monospace"> \
# dnf repoquery --whatprovides 'jackson-databind >= 2.10.0'<br> \
jackson-databind-0:2.10.0-1.module_el8.4.0+595+e59c9af2.noarch<br> \
jackson-databind-0:2.10.0-1.module_el8.4.0+782+1d1c31a0.noarch</span></div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif">3. On runtime \
vdsm-jsonrpc-java is being loaded using JBoss Modules as a part of oVirt \
Engine:</div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif"> <a \
href="https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/dependencies/c \
ommon/src/main/modules/org/ovirt/vdsm-jsonrpc-java/main/module.xml">https://github.com \
/oVirt/ovirt-engine/blob/master/backend/manager/dependencies/common/src/main/modules/org/ovirt/vdsm-jsonrpc-java/main/module.xml</a></div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif"> which shows \
that vdsm-jsonrpc-java depends on com.fasterxml.jackson.core.jackson-databind module, \
which is included in the relevant WildFly release.</div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif"> Currently oVirt Engine is using \
WildFly 24.0.1, so you can see jackson-databind version using following \
command:</div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif"><span style="font-family:monospace"> \
# rpm -ql ovirt-engine-wildfly | grep 'jackson-databind-'<br> \
/usr/share/ovirt-engine-wildfly/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.12.3.jar<br></span></div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif"> \
</div></div><div style="font-family:arial,helvetica,sans-serif" \
class="gmail_default">So if you want to bump jackson-databind version for oVirt \
Engine runtime you have two possibilities:</div><div \
style="font-family:arial,helvetica,sans-serif" class="gmail_default"><br></div><div \
style="font-family:arial,helvetica,sans-serif" class="gmail_default">1. You can \
deliver updated JBoss module as a part of ovirt-engine-wildfly-overlay RPM: <a \
href="https://github.com/oVirt/ovirt-engine-wildfly/overlay">https://github.com/oVirt/ovirt-engine-wildfly/overlay</a></div><div \
style="font-family:arial,helvetica,sans-serif" class="gmail_default">2. You can try \
to bump WildFly to latest version in ovirt-engine-wildfly RPM: <a \
href="https://github.com/oVirt/ovirt-engine-wildfly/">https://github.com/oVirt/ovirt-engine-wildfly/</a></div><div \
style="font-family:arial,helvetica,sans-serif" class="gmail_default"> Please be \
awate that at the moment it's not possible to use latest WildFly version, because \
oVirt Engine is using classic security model, which was removed in favor of Elytron \
in WildFly 25.</div><div style="font-family:arial,helvetica,sans-serif" \
class="gmail_default"> So to bump WildFly version, you would need to implement \
changes in oVirt Engine to use Elytron.</div><div \
style="font-family:arial,helvetica,sans-serif" class="gmail_default"><br></div><div \
style="font-family:arial,helvetica,sans-serif" class="gmail_default">Regarding \
verification the best way is to verify functionality by execution of oVirt System \
Tests: <a href="https://github.com/ovirt/ovirt-system-tests">https://github.com/ovirt/ovirt-system-tests</a></div><div \
style="font-family:arial,helvetica,sans-serif" class="gmail_default"><br></div><div \
style="font-family:arial,helvetica,sans-serif" \
class="gmail_default">Regards,</div><div \
style="font-family:arial,helvetica,sans-serif" class="gmail_default">Martin</div><div \
style="font-family:arial,helvetica,sans-serif" \
class="gmail_default"><br></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Thu, Sep 14, 2023 at 11:44 PM Shubha Kulkarni <<a \
href="mailto:shubha.kulkarni@oracle.com">shubha.kulkarni@oracle.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
class="msg8594593813037606922">
<div lang="EN-US">
<div class="m_8594593813037606922WordSection1">
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Hi \
All<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:rgb(31,73,125)"><u></u> <u></u></span></p> <p class="MsoNormal"><span \
style="color:rgb(31,73,125)">I am yet to get any feedback on my query. So I thought I \
will reach out again to see if any one has comment on this -<u></u><u></u></span></p> \
<p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p> \
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Background: \
<u></u><u></u></span></p> <p class="MsoNormal"><span style="color:rgb(31,73,125)">I \
see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson version to \
2.12.7<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:rgb(31,73,125)"><a \
href="https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b308dac896ded645a7" \
target="_blank">https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b308dac896ded645a7</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">This change in only made in \
pom.xml is made with "default" scope (i.e compile). \
<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:rgb(31,73,125)"><u></u> <u></u></span></p> <p class="MsoNormal"><span \
style="color:rgb(31,73,125)">Queries:<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:rgb(31,73,125)">#1. So at runtime, that means \
this jar should be explicitly packaged somewhere else. I am wondering how is this \
newer jackson jar is picked up? Does it have anything to do with the change outside \
pom.xml that I don't see?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">#2. Ideally, I would like to \
verify that vdsm-jsonrpc-java application is using jackson-core2.12.7 and \
jackson-databaind 2.12.7-1 when installed on engine system. What is the best way to \
do it?<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:rgb(31,73,125)"><u></u> <u></u></span></p> <p class="MsoNormal"><span \
style="color:rgb(31,73,125)">Thanks<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p> \
<div> <div style="border-width:1pt medium medium;border-style:solid none \
none;border-color:rgb(225,225,225) currentcolor currentcolor;padding:3pt 0in 0in"> <p \
class="MsoNormal"><b>From:</b> Shubha Kulkarni <br> <b>Sent:</b> Thursday, September \
7, 2023 1:47 PM<br> <b>To:</b> <a href="mailto:devel@ovirt.org" \
target="_blank">devel@ovirt.org</a><br> <b>Subject:</b> Jackson-databind related \
changes<u></u><u></u></p> </div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Hello!<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">There have been changes added to ovirt-engine and \
vdsm-jsonrpc-java repos to address security vulnerabilities in jackson-databind \
package. I see that the change is made to bump up version of jackson-databind package \
to 2.12.7.1.<u></u><u></u></p> <p class="MsoNormal">I am wondering what is the rpm \
version for ovirt-engine and vdsm-jsonrpc-java that has these fixes? Also, I am \
curious what is the best way to validate these changes?<u></u><u></u></p> <p \
class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal">Shubha<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Devel mailing list -- <a href="mailto:devel@ovirt.org" \
target="_blank">devel@ovirt.org</a><br> To unsubscribe send an email to <a \
href="mailto:devel-leave@ovirt.org" target="_blank">devel-leave@ovirt.org</a><br> \
Privacy Statement: <a href="https://www.ovirt.org/privacy-policy.html" \
rel="noreferrer" target="_blank">https://www.ovirt.org/privacy-policy.html</a><br> \
oVirt Code of Conduct: <a \
href="https://www.ovirt.org/community/about/community-guidelines/" rel="noreferrer" \
target="_blank">https://www.ovirt.org/community/about/community-guidelines/</a><br> \
List Archives: <a href="https://lists.ovirt.org/archives/list/devel@ovirt.org/message/UDIWOPJMWDCRB53I7P7H2YA7MUEY3QMX/" \
rel="noreferrer" target="_blank">https://lists.ovirt.org/archives/list/devel@ovirt.org/message/UDIWOPJMWDCRB53I7P7H2YA7MUEY3QMX/</a><br>
</div></blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- \
</span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div \
dir="ltr"><font size="1">Martin Perina<br>Manager, Software Engineering<br>Red Hat \
Czech s.r.o.<br></font></div></div></div></div></div>
[Attachment #6 (text/plain)]
_______________________________________________
Devel mailing list -- devel@ovirt.org
To unsubscribe send an email to devel-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/NP7LIHKTOHO37R37KDBREDZ6AZI6TCXW/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic