New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add check in BeanDeserializer._deserializeFromArray() to prevent use of deeply nested arrays [CVE-2022-42004]
#3582
Comments
BeanDeserializer._deserializeFromArray() to try to prevent use of deeply nested arraysBeanDeserializer._deserializeFromArray() to prevent use of deeply nested arrays
|
@henryrneh I think it is reasonable to file a CVE for this, although one caveat is that it is only applicable if users enable specific |
|
This issue was found by a fuzzer written by the Ada Logics team and is part of an ongoing security assessment. @henryrneh can you please ensure the issues you report are found by the fuzzers written by your team (https://github.com/google/oss-fuzz/blob/master/projects/jackson-core/JsonFuzzer.java and https://github.com/google/oss-fuzz/blob/master/projects/jackson-databind/ObjectReaderFuzzer.java) then we'll take care of those from our fuzzers. |
Great, thanks!
Do the links I provided above suffice? |
sounds good -- I'll also send over an email after the assessment so you can see details about the findings we got using Jazzer |
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004. FasterXML/jackson-databind#3582 Cleaned up the code where the jackson is used
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004. FasterXML/jackson-databind#3582 Cleaned up the code where the jackson is used.
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004. FasterXML/jackson-databind#3582 Cleaned up the code where the jackson is used
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004. FasterXML/jackson-databind#3582 Cleaned up the code where the jackson is used
BeanDeserializer._deserializeFromArray() to prevent use of deeply nested arraysBeanDeserializer._deserializeFromArray() to prevent use of deeply nested arrays [CVE-2022-42004]
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004. FasterXML/jackson-databind#3582 Cleaned up the code where the jackson is used
Updated to a new version of the com.fasterxml.jackson libraries to address CVE-2022-42004. FasterXML/jackson-databind#3582 Cleaned up the code where the jackson is used
…kson-bom to resolve CVE-2022-42003, CVE-2022-42004 (spinnaker#58) See FasterXML/jackson-databind#3590 and FasterXML/jackson-databind#3582 for details. @W-12037349
Fix included in
(note: found by oss-fuzz, see: https://bugs.chromium.org/p/oss-fuzz/issues)
Currently feature
DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYSis supported by most types, and deserializers tend to implement support using recursion, effectively allowing multiple nested layers of JSON Arrays to be unwrapped.This is not a feature to support but just an implementation detail; ideally we should only allow a single JSON Array to wrap a value.
I think I have removed ability for deeper nesting from some other types so there may be some prior art.
The text was updated successfully, but these errors were encountered: