New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible DoS if using JDK serialization to serialize JsonNode [CVE-2021-46877]
#3328
Comments
|
@cowtowncoder Please contact me if it will require any help with a fix implementation. |
|
@plokhotnyuk Thank you. I think I know how to handle this as it is sort of similar to some issues with CBOR/Smile codecs. But if you are interested and have time, I would definitely accept help! Since I do not want to publicly disclose details yet, could you email me ( https://groups.google.com/g/jackson-dev-infosec I can share details there as well? |
|
Fix implemented, fwtw; backported for inclusion in:
|
|
@cowtowncoder do you have an estimation about when this fix is gonna be released in those versions? Thanks in advance. |
|
@cowtowncoder do you plan to fix this for 2.11? |
|
@freemanzMrojo Hoping to release 2.12.6 some time this week; 2.13.1 at earlier this weekend but we'll see. My non-paid OSS work time is severely limited these days, and esp. so on holiday times. @jphelp32 No, neither 2.11 nor 2.10. I'll add a note to mention that this only affects versions 2.10.0 + (2.9.x and earlier not affected). |
|
Hi @cowtowncoder , thanks a lot for your work. |
|
@beedle- there is no 2.14 release yet. |
|
@cowtowncoder Because of vulnerability in jackson databind 2.12.5 version, I have been assigned the task to fix this issue asap, Thanks in advance |
|
@devkhatri9 I am hoping to release 2.12.6 this week; 2.13.1 after that. But I am not paid for work related to Jackson so my daytime job has priority here which means that I do it when I have time to do it. It is also bit unfortunate that the whole Security Scare Business has cropped up to spread FUD -- this issue, for example is unlikely to affect sizable part of user base at all. Yet everyone is scrambling because CVE is filed and tooling is alarming and alerting everyone regardless. Since tooling cannot really determine applicability by any means other than version number, black-and-white, on/off criteria. |
|
Hello team, any update on this? |
|
2.12.6 was just released last night. Will need to address an issue wrt 2.13 but hoping to follow up with 2.13.1 within a week. After this I can disclose more about vulnerability which (IMO) is not really very significant, not widely applicable. But, you know, being filed must be addressed. |
|
Thanks for the release. I think indeed the whole discussion here started because the vulnerability has been assessed at CVSS 7.5 (HIGH) by jFrog in XRay and this might have been overestimated. |
|
Hmmmh. 7.5 sounds ridiculously high -- but it is easier to re-classify knowing the details once I fill them in. |
|
tbh, no exploit requiring an attacker-controlled jdk serialization payload should be rated with that high severity... |
|
I totally agree, internally I did lower the priority (but of course I had to provide argumentation ;-)). |
|
2.13.1 was just released as well so fix available for 2.12 and 2.13. I will try to write actual vuln description tomorrow if I have time. |
JsonNode
|
Updated description; please LMK if it does (or esp. if does not) make sense. |
|
@ovanekem do you happen to know of an official CVE requested? Or any public identifier that I could use. |
JsonNodeJsonNode [CVE-2021-46877]
There is a report on possible DoS attack, against certain versions of Jackson 2.10.x - 2.13.x (does not affect earlier versions like 2.9, nor future 2.14 and 3.0).
CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-46877
Fix has been included in versions:
No current plans to back-porting into 2.10 or 2.11 branches (2.9 and earlier not affected).
CVE description
Applicability
The vulnerability is available only when using JDK serialization to serialize, deserialize
JsonNodevalues: this is not something most users ever do, nor is it recommended for general usage.So, any other use of
JsonNodeis completely unrelated to the reported CVE: this ONLY APPLIES WITH JDK SERIALIZATION.Example
So how does one use JDK Serialization with Jackson's
JsonNode?Example of such usage (copied from test
NodeJDKSerializationTest.java) is:The issue with JDK serialization is due to combination of format used and original code (see class
NodeSerializationfor details).First:
JsonNodeis serialized as a sequence of bytes where first 4 bytes indicate length of actual content; and contents are JSON serialization itself. When reading it back (JDK deserialization) length is read first, original code allocates abyte[]with that size, and then contents are read. This works, functionally speaking.But if attacker provides, instead, a payload that contains only 4-byte length, with value of
Integer.MAX_VALUE, then decoder will:byte[]arrayThe problem here is that during step (2), a large buffer allocation may well run process out of (heap) memory -- especially so if attacker manages to inject multiple broken messages.
Fix is to avoid eager allocation of big buffers and only allocate buffers as needed, along reading of the payload.
The text was updated successfully, but these errors were encountered: