锐客网

  1. 首页 > it技术 > >

jar包升级之解决方案 jackson-mapper-asl

jar包升级之解决方案 jackson-mapper-asl
文章图片

项目背景: 应要求项目进行jar包升级,扫描到的jackson-mapper-asl-1.9.6.jar 具有高危漏洞
CVE-2018-14718 ==>cve详情
描述: 2.9.7 之前的 FasterXML jackson-databind 2.x 可能允许远程攻击者通过利用失败来阻止 slf4j-ext 类进行多态反序列化来执行任意代码。
当前项目使用的依赖是jackson-mapper-asl-1.9.6.jar
查阅mvnrepository官网依赖 可知 其最新的更新版本是1.9.13 而上文提到的是 jackson-databaind 两者artifactId 都对应不上,推测jackson-mapper-asl 迁移到了 jackson-databaind.
打开jackson-mapper-asl的mvn官网地址 发现确实已经迁移到了jackson-databind
jar包升级之解决方案 jackson-mapper-asl
文章图片

此时我们只需要剔除jackson-mapper-asl的依赖,并加入迁移后的指定版本的依赖即可:

com.fasterxml.jackson.core jackson-databind 2.13.0

而用idea去在项目中查询时却并未发现jackson-mapper-asl,那他是怎么引进来的呢,继续探索发现:
jar包升级之解决方案 jackson-mapper-asl
文章图片

项目中引入了jackson-jaxrs,而他依赖于jackson-mapper-asl;
于是点开jackson-jaxrs mvn地址 发现它也前移到了 jackson-jaxrs-json-provider
jar包升级之解决方案 jackson-mapper-asl
文章图片

查看最新版本引用的jackson-databind版本 发现是想要的
直接在项目中引入即可
com.fasterxml.jackson.jaxrs jackson-jaxrs-json-provider 2.13.0

最后启动项目发现报错:
21:29:36.854 - WARN [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext:551] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionManage': Cannot create inner bean 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c' of type [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c': Failed to introspect bean class [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] for lookup method metadata: could not find class that it depends on; nested exception is java.lang.NoClassDefFoundError: org/codehaus/jackson/map/JsonMappingException 21:29:36.866 - ERROR [org.springframework.boot.SpringApplication:771] - Application startup failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionManage': Cannot create inner bean 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c' of type [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c': Failed to introspect bean class [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] for lookup method metadata: could not find class that it depends on; nested exception is java.lang.NoClassDefFoundError: org/codehaus/jackson/map/JsonMappingException at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)

点开对应的配置文件,是配置的javaBean找不到了
jar包升级之解决方案 jackson-mapper-asl
文章图片

联想到jackson-databind迁移以后权限定类名的改变
【jar包升级之解决方案 jackson-mapper-asl】打开jackson-databind的包 找到对应的JacksonJaxbJsonProvider类的全限定类名 复制粘贴替换即可

    推荐阅读


    上一篇:Redis数据类型以及应用场景

    下一篇:Laravel 管道机制