Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Optimize `UntypedObjectDeserializer` wrt recursion [CVE-2020-36518]
See original GitHub issueEDIT: related to to CVE-2020-36518 (see https://nvd.nist.gov/vuln/detail/CVE-2020-36518)
EDIT: Fix included in
- 2.14.0
- 2.13.3:
- Was also included in 2.13.2.1 and 2.13.2.2 (see https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13); to be used with
jackson-bomversion2.13.2.20220328
- Was also included in 2.13.2.1 and 2.13.2.2 (see https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13); to be used with
- 2.12.6.1: (see https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12)
- use with
jackson-bomversion2.12.6.1.20220326
- use with
EDIT: included as one of Snyk’s “top-10 vulns of 2022” CVEs – see https://go.snyk.io/snyk-top-10-open-source-vulnerabilities-dwn-typ.html
Current implementation UntypedObjectDeserializer is relatively expensive for deeply nested Object and Array values as it uses recursion even for “vanilla” case (one where there are no custom List/array or Map deserializers).
In practical terms it is possible to exhaust typical modest JVM memory with documents having about ten thousand levels of nestings, due to size of call stack from recursive calls.
NOTE: specifically this ONLY APPLIES if the target type is “untyped” or generic Collection<Object> / Map<String, Object> – it DOES NOT APPLY to cases where target is POJO (except if POJO itself has “untyped” property or properties).
Similar issue was already solved wrt JsonNode (see #3397), included in 2.13.0; this might show a way to approach this problem: by replacing simple recursion with iteration, either completely or at some inner levels.
Also note that it may ultimately be necessary to have lower-level constraints for streaming parser too, see: https://github.com/FasterXML/jackson-core/issues/637
Ideally it should be:
- Possible to handle at least tens of thousands of levels of nesting (100k should be processable with 256M heap, say)
- Have streaming level limits that – by default – block documents with more than limit we deem safe (less than 100k – perhaps 10k or something, to be determined).
This issue is specifically about (1) as (2) is about jackson-core.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:6
- Comments:77 (42 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Oh fucking great. Someone decided to file an CVE for this one.
Surely teaches me to file issues on things I want to work on – and then some Very Nice Person going to file an CVE to freak out everybody.
@Syed-Shahul-Hameed more that I have to spend time on answering this question slower the release is. As soon as I find time – this is a non-paid voluntary activity for me, alongside a real job and family – I will make a release.
In the meantime I just hope users will eventually push back on security tool vendors that cause all of this stress and fake alarm: Security Circus at its worst. This wrt general applicability – there is an actual potential problem, for some users and usage. But not an immediate generally applicable wide-scale thing like remote execution.