FasterXML CVE fix in EAP 7.2 CP9 breaks RESTEasy PATCH requests

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP) 7.2 CP9

Issue

CVEs fixed in EAP 7.2 CP9 do not allow deserialization of com.github.fge.jsonpatch.CopyOperation by default, resulting in:

com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Illegal type (com.github.fge.jsonpatch.CopyOperation) to deserialize: prevented for security reasons

Resolution

Set the system property jackson.deserialization.whitelist.packages to com.github.fge.jsonpatch

-Djackson.deserialization.whitelist.packages=com.github.fge.jsonpatch

SBR

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.