Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[CVE-2022-42003] A Denial of Service (DoS) vulnerability in com.fasterxml.jackson.core:jackson-databind

See original GitHub issue

Describe the bug

Our security scanner on Keycloak reported a CVE coming from quarkus-jackson that might be worth to consider upgrading in the upcoming releases. Below, you can find more details.

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. At the moment

Affected versions of this package are vulnerable to Denial of Service (DoS) in the _deserializeWrappedValue() function in StdDeserializer.java, due to resource exhaustion when processing deeply nested arrays.

NOTE: This vulnerability is only exploitable when the non-default UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.14.0-rc1 or higher.

References

Detailed paths

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:11 (9 by maintainers)

github_iconTop GitHub Comments

1reaction
geoandcommented, Oct 7, 2022

That is indeed true @famod - we don’t activate that and we don’t even expose a property for users to activate it - although of course users can configure their ObjectMapper in any way they see fit.

1reaction
sberyozkincommented, Oct 6, 2022

Sure, even if it is a public CVE, its visibility just gets increased.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Denial of Service (DoS) Affecting com.fasterxml.jackson.core ...
Medium severity (5.9) Denial of Service (DoS) in com.fasterxml.jackson.core:jackson-databind | CVE-2022-42003.
Read more >
CVE-2022-42003 - Vulners
... Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003).
Read more >
Fasterxml Jackson-databind : List of security vulnerabilities
# CVE ID CWE ID Publish Date Update Date Score Gained Access Level Access 1 CVE‑2022‑42004 502 2022‑10‑02 2022‑12‑02 0.0 None ??? 2 CVE‑2022‑42003 502...
Read more >
Security Notices - Camunda 7 Docs
The version of Jackson included in Camunda Platform 7 was vulnerable to denial of ... This enables a partial denial of service attack...
Read more >
Denial of service in FasterXML jackson - CyberSecurity Help
Security Bulletin · Description. The vulnerability allows a remote attacker to perform a denial of service (DoS) attack. · Mitigation. Install ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Build fails with Kotlin coroutine/suspend methods

Next page

QuarkusTest**Callback not executed when running QuarkusIntegrationTest