apache olingo: CVE-2022-40153 on dependency woodstox-core

Question

Our CVE tracker is flagging odata-client-core (version 4.8.0) for the presence of dependency woodstox-core (version 6.2.4) affected by CVE-2022-40153.

The relevant dependency tree is below:-

+- org.apache.olingo:odata-client-core:jar:4.8.0:compile
[INFO] |  +- org.apache.olingo:odata-client-api:jar:4.8.0:compile
[INFO] |  |  \- org.apache.olingo:odata-commons-api:jar:4.8.0:compile
[INFO] |  +- org.apache.olingo:odata-commons-core:jar:4.8.0:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.15:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.6:compile
[INFO] |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.12.6:compile
[INFO] |  |  +- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.12.6:compile
[INFO] |  |  +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
[INFO] |  |  \- com.fasterxml.woodstox:woodstox-core:jar:6.2.4:compile

The issue is fixed in woodstox-core 6.4.0. The latest version of odata-client-core (version 4.9.0) is still using the vulnerable woodstox-core version.

1. Is there any plan of upgrading the version of woodstox-core? If yes, which version is expected to have the fix?
2. Is someone aware if the woodstox-core 6.4.0 is compatible with odata-client-core 4.8.0 or 4.9.0 version so that I can exclude woodstox-core 6.2.0 in my pom and add woodstox-core 6.4.0?

Answer 1

This has been answered in olingo mailing list. Below is the answer

Hi,

I have checked that Olingo works with Jackson 2.14.0 (which have newer version of woodstox-core) and have updated the Jackson version accordingly.
With the next version 4.10.0 it will be available.
For your current project I suggest to overwrite/set the used Jackson version to 2.14.0.

Kind Regards, Michael

Answer 2

Woodstox minor versions tend to be highly compatible in 5.x and 6.x series, only adding minor new functionality and fixes. So while I do not know for sure, I would think it very likely that 6.4.0 would work as a simple drop-in replacement for 6.2.0 for usage by this library.