Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add check in primitive value deserializers to avoid deep wrapper array nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS` [CVE-2022-42003]

See original GitHub issue

TL;DNR:

Fix included in:

  • 2.14.0 once released (until then, 2.14.0-rc1 and rc2)
  • 2.13.4.2 micro-patch (jackson-bom 2.13.4.20221013). (NOTE: 2.13.4.1/2.13.4.20221012 have an issue that affects Gradle users)
  • 2.12.7.1 micro-patch (jackson-bom 2.12.7.20221012)

(note: similar to #3582 ) (note: originally found via oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020)

Implementation of methods like _parseBooleanPrimitive (in StdDeserializer) uses idiom:

            if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
                p.nextToken();
                final boolean parsed = _parseBooleanPrimitive(p, ctxt);
                _verifyEndArrayForSingle(p, ctxt);
                return parsed;
            }

to handle unwrapping. While simple this exposes possibility of “too deep” nesting and possible problem with resource exhaustion in some cases. We should change this similar to how #3582 was handled.

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:44 (21 by maintainers)

github_iconTop GitHub Comments

16reactions
chadlwilsoncommented, Oct 13, 2022

Thanks a lot @cowtowncoder . I have contacted NVD/NIST with the relevant information and am seeking to get https://nvd.nist.gov/vuln/detail/CVE-2022-42003 updated to reflect these micro-patch releases so people’s scanner noise goes away if they update to these (or via relevant BOMs).

Will follow up for the separate CVE fix backported to 2.12.x if I get a positive response/outcome.

14reactions
chadlwilsoncommented, Oct 7, 2022

@DavidKorczynski I think we need coordinate better in future: my understanding was that a CVE would be filed, I’d be notified with id allocated (so I can update this issue, release notes), but CVE only made public once official release was out. But perhaps I am assuming there is a mechanism that does not exist between allocating an id and making it available for the public.

@cowtowncoder the mechanism definitely exists with MITRE to reserve and allocate a CVE independently of disclosure, which is normal practice. Indeed if one uses GHSA to raise ones security isues you can get GitHub to manage this process for you as a CVE Numbering Authority, as well as collaborate on the text in GitHub with those who raise the issue, leaving maintainers able to manage the disclosure alongside, or after a release is available.

Based on what I observed with the set of ossfuzz SnakeYAML vulns in the last few months and now this, the well intentioned and otherwise good work within ossfuzz is in some cases unleashing a torrent of noise on already limited OSS dev time due to the way our current generation of tools work (dependency checkers etc), complexity of dependency trees and then overreaction from certain ops/security folk who ignore important context and for some reason put blind trust in the CVE process (which is remarkably, err, subjective and subject to abuse IMHO).

Unfortunately this case does not seem like ‘responsible’ disclosure to me. I fear that if we as a community create noise like this, we take away from dev time (OSS and users alike) to actually address the most important security issues - instead replacing it with devs having to understand or explain risk severity, evaluate environmental context/feature usage yada yada, rather than just being able to upgrade and move on (ideally bot-and-test-automation assisted) - without having to think about whether one is affected or not.

Read more comments on GitHub >

github_iconTop Results From Across the Web

CVE-2022-42003
Add check in primitive value deserializers to avoid deep wrapper array nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS` · Issue #3590 ...
Read more >
CVE-2022-42003 Detail - NVD
... of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Read more >
[#SPARK-40782] Upgrade Jackson-databind to 2.13.4.1
#3590: Add check in primitive value deserializers to avoid deep wrapper array nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS` [CVE-2022-42003] ...
Read more >
CVE-2022-42003 | Vulnerability Database - Debricked
4.1 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when...
Read more >
Vulnerability Details : CVE-2022-42003
... of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Expose `translate()` method of standard `PropertyNamingStrategy` implementations

Next page

JsonTypeInfo feature duplicates the already existing 'null'ed JsonTypeInfo#property property