Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add check in BeanDeserializer._deserializeFromArray() to prevent use of deeply nested arrays [CVE-2022-42004] #3582

Closed
cowtowncoder opened this issue Aug 24, 2022 · 23 comments
Labels
2.14 Issues possibly planned for 2.14 CVE Issues related to public CVEs (security vuln reports)
Milestone

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Aug 24, 2022

Fix included in

  • 2.13.4
  • 2.12.7.1 micro-patch (jackson-bom 2.12.7.20221012)

(note: found by oss-fuzz, see: https://bugs.chromium.org/p/oss-fuzz/issues)

Currently feature DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS is supported by most types, and deserializers tend to implement support using recursion, effectively allowing multiple nested layers of JSON Arrays to be unwrapped.
This is not a feature to support but just an implementation detail; ideally we should only allow a single JSON Array to wrap a value.

I think I have removed ability for deeper nesting from some other types so there may be some prior art.

@cowtowncoder cowtowncoder added to-evaluate Issue that has been received but not yet evaluated 2.14 Issues possibly planned for 2.14 and removed to-evaluate Issue that has been received but not yet evaluated labels Aug 24, 2022
cowtowncoder added a commit that referenced this issue Aug 24, 2022
@cowtowncoder cowtowncoder added the has-failing-test Indicates that there exists a test case (under `failing/`) to reproduce the issue label Aug 24, 2022
@cowtowncoder cowtowncoder changed the title Add check in BeanDeserializer._deserializeFromArray() to try to prevent use of deeply nested arrays Add check in BeanDeserializer._deserializeFromArray() to prevent use of deeply nested arrays Aug 24, 2022
@cowtowncoder cowtowncoder added this to the 2.14.0 milestone Sep 4, 2022
@cowtowncoder
Copy link
Member Author

@henryrneh I think it is reasonable to file a CVE for this, although one caveat is that it is only applicable if users enable specific DeserializationFeature and not with vanilla (default) setting of ObjectMapper. So that should probably at least be reflect in applicability -- I do not have any statistics of how common enabling this feature is but it probably is minority of usage.

@DavidKorczynski
Copy link

This issue was found by a fuzzer written by the Ada Logics team and is part of an ongoing security assessment. @henryrneh can you please ensure the issues you report are found by the fuzzers written by your team (https://github.com/google/oss-fuzz/blob/master/projects/jackson-core/JsonFuzzer.java and https://github.com/google/oss-fuzz/blob/master/projects/jackson-databind/ObjectReaderFuzzer.java) then we'll take care of those from our fuzzers.

@DavidKorczynski
Copy link

We will do our best to try not to apply CVEs for fuzz targets written by AdaLogics

Great, thanks!

we will need some assitance or notification by you to know who wrote which fuzz target

Do the links I provided above suffice?

@DavidKorczynski
Copy link

Thank you that works! In the future when AdaLogics add a new fuzz target please let us know or add some prefix to the name, so this will not happen again

sounds good -- I'll also send over an email after the assessment so you can see details about the findings we got using Jazzer

eperret added a commit to eperret/omakase that referenced this issue Oct 4, 2022
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004.  FasterXML/jackson-databind#3582

Cleaned up the code where the jackson is used
eperret added a commit to salesforce/omakase that referenced this issue Oct 5, 2022
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004.  FasterXML/jackson-databind#3582

Cleaned up the code where the jackson is used.
eperret added a commit to eperret/omakase that referenced this issue Oct 5, 2022
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004.  FasterXML/jackson-databind#3582

Cleaned up the code where the jackson is used
eperret added a commit to eperret/omakase that referenced this issue Oct 5, 2022
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004.  FasterXML/jackson-databind#3582

Cleaned up the code where the jackson is used
@cowtowncoder cowtowncoder changed the title Add check in BeanDeserializer._deserializeFromArray() to prevent use of deeply nested arrays Add check in BeanDeserializer._deserializeFromArray() to prevent use of deeply nested arrays [CVE-2022-42004] Oct 5, 2022
@cowtowncoder cowtowncoder added CVE Issues related to public CVEs (security vuln reports) and removed has-failing-test Indicates that there exists a test case (under `failing/`) to reproduce the issue labels Oct 5, 2022
@cowtowncoder cowtowncoder modified the milestones: 2.14.0, 2.13.4 Oct 5, 2022
cowtowncoder added a commit that referenced this issue Oct 5, 2022
eperret added a commit to eperret/omakase that referenced this issue Oct 6, 2022
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004.  FasterXML/jackson-databind#3582

Cleaned up the code where the jackson is used
eperret added a commit to eperret/omakase that referenced this issue Oct 6, 2022
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004.  FasterXML/jackson-databind#3582

Cleaned up the code where the jackson is used
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2.14 Issues possibly planned for 2.14 CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Development

No branches or pull requests

7 participants
@cowtowncoder @DavidKorczynski @cesarhernandezgt @jensborrmann @wakingrufus @chadlwilson and others