Embulk
Replies: 1 comment 2 replies
-
|
We're aware of that, and we'll be upgrading it during the ongoing v0.11 series. It has been a hard deadlock by a mutual dependency between the Embulk core and plugins. We needed much time to remove the dependency through the v0.10 series, and we've done it just this year while it caused some plugin incompatibilities. If you're interested in it, please take a look at: https://www.embulk.org/articles/2020/07/01/meetup-20200709.html We decided to keep it for a while because our usage is not strongly affected. The RCE is mostly about databinds with classnames specified in the given JSON, but that's not our use. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your reply. I am not sure how jackson's vulnerabilities will affect Embulk so I post this discussion. If Embulk is not affected that would be a good news. However, it will be nice if you upgrade jackson someday. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, we know. We wanted to upgrade it this year, but it would depend on v0.11 catch-up status of (major) Embulk plugins. |
Beta Was this translation helpful? Give feedback.
-
I noticed emulk is using jackson 2.6.7 which is a very old version of jackson and suffers sooooo many RCE vulnerabilities. Does embulk have any mitigation for any RCE exploit via jackson?
Beta Was this translation helpful? Give feedback.
All reactions