[GHSA-jjjh-jjxp-wpff] Uncontrolled Resource Consumption in Jackson-databind

[Christiaan-de-Wet]

Updates

• Affected products
• Description

Comments

• Clarifying the affected versions
• fixing description

[shelbyc]

Hey there @Christiaan-de-Wet, I'm reading the advisory and references now to get a clearer idea of what's going on with CVE-2022-42003. If my understanding is correct, it looks like a fix for CVE-2022-42003 was backported to version 2.13.4.1 of jackson-databind, but there is a micro-patch in version 2.13.4.2 due to an issue affecting Gradle users. Is that your understanding as well?

[shelbyc]

I'm not able to find reference links indicating that 2.12.7.1 and 2.13.4.1 are vulnerable. However, I was able to find a commit in version 2.12.0-rc1 where some of the vulnerable code that was patched in the fix commit was initially introduced.
Fix commit: FasterXML/jackson-databind@cd09097#diff-416896884d1e0706562f38c160757ff53196c441ce86a4ca49923f7aebad6a36L360
Commit where the vulnerable code in StdDeserializer.Java was introduced: FasterXML/jackson-databind@7ba9ac5#diff-416896884d1e0706562f38c160757ff53196c441ce86a4ca49923f7aebad6a36R247
I'll add the commit where the vulnerable code was introduced as a reference link. Thank you for the community contribution!

[advisory-database]

Hi @Christiaan-de-Wet! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[Christiaan-de-Wet]

Hi @shelbyc

Apologies for the delayed response.

The maintainers of the Jackson Databind package released a fix for CVE-2022-42003 for their latest version 2.14.x in this commit d78d00e.
As you mentioned, they also released, what the refer to as, micro-patches in commit cd09097 for 2.12.7.1 and then merged to 2.13 in commit ce50e4c and tagged as 2.13.4.2 in commit ee316a0. To that end, the affected version is < 2.13.4.2 (or <=2.13.4.1)

For me it helped to visualise this in a graph.

---

As for when this was introduced, reviewing the issue which relates to UNWRAP_SINGLE_VALUE_ARRAYS and deep wrapped array nesting, appears to have been introduced in version 2.4 here.

This means that all versions since 2.4 would be vulnerable, some of which do no longer receive updates and will remain vulnerable unless updated to a non vulnerable version.

Affected versions would then be:

• 2.4.0-rc1 - 2.4.6.1
• 2.5.0-rc1 - 2.5.5
• 2.6.0-rc1 - 2.6.7.5
• 2.7.0-rc1 - 2.7.9.7
• 2.8.0 - 2.8.11.6
• 2.9.0.pr1 - 2.9.10.8
• 2.10.0.pr1 - 2.10.5.1
• 2.11.0.rc - 12.11.4
• 2.12.0-rc1 - 2.12.7
• 2.13.0-rc1 - 2.13.4.1

I may be wrong with this analysis but this is what I could deduce.

I hope this helps.

Regards
^C

[shelbyc]

@Christiaan-de-Wet Thank you for the explanation and for the graph! This is consistent with the commit history between versions 2.13.4.1 and 2.13.4.2, which shows that the commit backport Fix #3590 and Fix #3582 (#3622) was introduced in version 2.13.4.2.

[Christiaan-de-Wet]

You are welcome @shelbyc

When will the updates reflect on the advisory page?
GHSA-jjjh-jjxp-wpff

[shelbyc]

@Christiaan-de-Wet Thanks for being patient! I've updated the advisory and you should be able to see the changes now.

[Christiaan-de-Wet]

Amazing thank you ;p