Hi,

oVirt Engine is using JBoss Modules feature to load libraries, so when a library version is mentioned in pom.xml it's unrelated to which version is being using during runtime. Here's the detailed description:

1. jackson-databind 2.12.7 mentioned pom.xml is actually being used only when building the project directly with maven (development purposes)

2. When building the project as a part of RPM build, then maven (respectively xmvn) is invoked to use only libraries installed locally as a part of RPM dependencies
   So on CS8 we can easily find out the jackson-databind package version being used during RPM build
        # dnf repoquery --whatprovides 'jackson-databind >= 2.10.0'
        jackson-databind-0:2.10.0-1.module_el8.4.0+595+e59c9af2.noarch
        jackson-databind-0:2.10.0-1.module_el8.4.0+782+1d1c31a0.noarch

3. On runtime vdsm-jsonrpc-java is being loaded using JBoss Modules as a part of oVirt Engine:
   which shows that vdsm-jsonrpc-java depends on com.fasterxml.jackson.core.jackson-databind module, which is included in the relevant WildFly release.
   Currently oVirt Engine is using WildFly 24.0.1, so you can see jackson-databind version using following command:
        # rpm -ql ovirt-engine-wildfly | grep 'jackson-databind-'
        /usr/share/ovirt-engine-wildfly/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.12.3.jar
       
So if you want to bump jackson-databind version for oVirt Engine runtime you have two possibilities:

1. You can deliver updated JBoss module as a part of ovirt-engine-wildfly-overlay RPM: https://github.com/oVirt/ovirt-engine-wildfly/overlay
2. You can try to bump WildFly to latest version in ovirt-engine-wildfly RPM: https://github.com/oVirt/ovirt-engine-wildfly/
   Please be awate that at the moment it's not possible to use latest WildFly version, because oVirt Engine is using classic security model, which was removed in favor of Elytron in WildFly 25.
   So to bump WildFly version, you would need to implement changes in oVirt Engine to use Elytron.

Regarding verification the best way is to verify functionality by execution of oVirt System Tests: https://github.com/ovirt/ovirt-system-tests

Regards,
Martin


On Thu, Sep 14, 2023 at 11:44 PM Shubha Kulkarni <shubha.kulkarni@oracle.com> wrote:

Hi All

 

I am yet to get any feedback on my query. So I thought I will reach out again to see if any one has comment on this -

 

Background:

I see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson version to 2.12.7

https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b308dac896ded645a7

This change in only made in pom.xml is made with "default" scope (i.e compile).

 

Queries:

#1. So at runtime, that means this jar should be explicitly packaged somewhere else. I am wondering how is this newer jackson jar is picked up? Does it have anything to do with the change outside pom.xml that I don't see?

 

#2. Ideally, I would like to verify that vdsm-jsonrpc-java application is using jackson-core2.12.7 and jackson-databaind 2.12.7-1 when installed on engine system. What is the best way to do it?

 

Thanks

 

From: Shubha Kulkarni
Sent: Thursday, September 7, 2023 1:47 PM
To: devel@ovirt.org
Subject: Jackson-databind related changes

 

Hello!

 

There have been changes added to ovirt-engine and vdsm-jsonrpc-java repos to address security vulnerabilities in jackson-databind package. I see that the change is made to bump up version of jackson-databind package to 2.12.7.1.

I am wondering what is the rpm version for ovirt-engine and vdsm-jsonrpc-java that has these fixes? Also, I am curious what is the best way to validate these changes?

 

Thanks,

Shubha

_______________________________________________
Devel mailing list -- devel@ovirt.org
To unsubscribe send an email to devel-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/UDIWOPJMWDCRB53I7P7H2YA7MUEY3QMX/


--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.