On Wed, Oct 16, 2019 at 12:12 PM Fabrice Bacchella < fabrice.bacchella(a)icloud.com&gt; wrote: There is no other easy way how to do that, because we are using huge number of classes, which can be serialized into JSON. This was breaking backward compatibility way how CVE for jackson was fixed, but oVirt is not affected by this CVE, because we use jackson directly only when storing data in database or for internal engine - VDSM communication. So unless you have an attacker being able to tamper data in your database or an attacker in internal network, who is able to masquerade as proper host and return problematic JSON back to engine, you are not affected. -- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.