[TINKERPOP-2678] jackson-databind medium security issue identified - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.5.0
Fix Version/s: 3.6.0
Component/s: server
Labels:
None

Description

com.fasterxml.jackson.core_jackson-databind version 2.11.3 has this security issue identified. The resolution is in versions 2.14, 2.13.1 and 2.12.6

https://github.com/FasterXML/jackson-databind/issues/3328

Issue summary:

jackson-databind in certain versions from 2.10 is vulnerable to DoS attack, only when using JDK serialization to serialize, deserialize JsonNode values. An attacker can provide a 4-byte length payload, with the value of Integer.MAX_VALUE, that will cause the decoder to allocate a large buffer leading to out of heap memory - especially so if the attacker manages to inject multiple broken messages.

Attachments

Activity

People

Assignee:: Stephen Mallette

Reporter:: Aaron Coady

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Jan/22 14:05

Updated:: 15/Feb/22 20:04

Resolved:: 15/Feb/22 20:04