Vulnerability issue with jackson-databind 2.3.3

[Albesher97]

Hello everyone, hope all is well, in the latest GAMA version im getting a few vulnerabilities detected because jackson-databind 2.3.3 exists in the image; the jackon is found in: opt/gama-platform/plugins/msi.gama.ext_1.9.3.202402160556.jar (the timestamp could be different so just search for msi.gama.ext) --> unzip ./msi.gama.ext_1.9.3.202402220411.jar -d /tmp/msi_gama_ext
-->grep -R "jackson-databind" /tmp/msi_gama_ext (searching for the jar that has jackson inside)--> found inside /tmp/msi_gama_ext/geotools/ehcache-2.10.3.jar.
What should i do to remedy this can i not use this plugin? or can i delete this msi without breaking anything? how should i approach this, any and all help is appreciated, thanks!
P.S installing the latest jackon and forcing the container to use it with "ENV JAVA_OPTS="-Xbootclasspath/p:/opt/gama-platform/plugins/jackson-databind-2.18.3.jar" " will not fix this issue as the dependency is still there

[AlexisDrogoul]

Hi. This vulnerability only makes sense in the context of a server written in Java (like in Tomcat or similar frameworks). Which version of GAMA are you using ? 1.9.3 ?

[Albesher97]

yes im using 1.9.3

[AlexisDrogoul]

Frankly I do not see any reason to worry about. GAMA is not a web server and even if you are using its server features, this version of jackson is used in the GeoTools library only (we do not use jackson anymore for serialization/deserialization). To note is that the new versions of GAMA do not include jackson-databind anymore, without apparent issues, meaning that the library, although present, is probably not even used in 1.9.3.

[Albesher97]

can this not be upgraded then to use the latest jackson-databind or scrapped if its not used? would it be fine if i delete the jat for example?

[AlexisDrogoul]

@lesquoyb your opinion ?