Skip to content

Jackson Work in Progress

Tatu Saloranta edited this page Oct 30, 2018 · 2080 revisions

Jackson WIP

This page is a "living document" of on-going work, mostly by @cowtowncoder (Tatu), although other committers are welcome to update it as well.

Last update

29-Oct-2018.

Urgent things

DoS vectors via BigDecimal, BigInteger

Group of issues related to possible Denial-of-Service attacks, making use of surprisingly poor performance characteristics of coercing from BigInteger into long, and thereby also BigDecimal (as it is based on 2 BigIntegers). Mostly implemented by 29-Oct-2018, to be included in 2.9.8

New CVEs for Polymorphic Deserialization gadgets

  • On 29-Oct-2018, 3 more gadgets were reported. More information will sent to jackson-dev-infosec list; fixes for 2.9.8 and 2.8.11.3

Clone this wiki locally