1. Support Portal
  2. RadiantOne IDDM (Formerly Known As FID)
  3. Troubleshooting

Interpreting jackson-databind Vulnerability Scan Findings

Shraddha Jamadade
Updated

RadiantOne vulnerability scans may flag older jackson-databind versions (for example 2.5.1 or 2.9.5) on Windows servers, even when those libraries are not actually used by the active RadiantOne installation. This article explains how to validate what RadiantOne is really using and how to interpret scan findings that point to backup/Recycle Bin locations.

Environment

  • RadiantOne / FID 7.4.8 and later
  • Windows deployments
  • Scan findings for jackson-databind (for example CVE-2019-17267)

Overview
Vulnerability scanners can report older jackson-databind JARs found on disk even when RadiantOne 7.4.8+ is installed and not using those copies at runtime. This typically happens when the flagged JARs are located in backup folders or Windows Recycle Bin directories rather than within the active RadiantOne installation.

Symptoms

  • Scanner flags jackson-databind versions such as 2.5.1 or 2.9.5.
  • Findings reference backup/Recycle Bin paths or a legacy GlassFish modules path.

Example non-runtime paths often seen in scan output:

D.BIN-...\databind.jar
D:\backup\databind.jar
D:\backup\databind-2.9.5.jar
radiantone\vds\appserver\glassfish\modules\jackson-databind.jar

Cause

  • RadiantOne 7.4.8+ upgrades jackson-databind to address known vulnerability concerns (including CVE-2019-17267).
  • Many scanners report any matching file present on disk, regardless of whether RadiantOne loads it.
  • In RadiantOne 7.4+, the scanned GlassFish modules path is not applicable.

Verify what’s in use

  • Confirm the RadiantOne version is 7.4.8 or later.
  • Identify the jackson-databind JAR under the active RadiantOne installation directory (the one used by running services).
  • Treat a finding as relevant only if the flagged JAR is located within (and loaded from) the active installation path.

Actions

  • If the flagged JARs exist only in backup/Recycle Bin locations:
    • No product remediation is required.
    • Optional: remove/archive old JARs and/or empty the Recycle Bin (per internal policy) to reduce scan noise.
  • If an older jackson-databind is found in the active RadiantOne installation path:
    • Upgrade to a supported RadiantOne release that includes the remediated dependency set.
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more