I created Camunda Webapp and Restapp using spring boot starter dependencies and bundled into war and deployed to Liberty server. They are working fine. But when we run a Nexus IQ scan on the project, it reported below security vulnerability on jackson-databind dependency as camunda springboot starter rest uses this dependency.
is vulnerable to Remote Code Execution (RCE). ThecreateBeanDeserializer()
function in theBeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.”
Could someone please help us know if Camunda has any plans to fix this issue or any counter measures are already implemented?
Suggested workaround by Nexus IQ is not to use the default typing by explicitly setting objectmapper.disableDefaultTyping. Is there any way to implement this?
Thanks in Advance,