Jackson 2.12.6 and 2.13.1 patch releases: one CVE fix

930 views
Skip to first unread message

Tatu Saloranta

unread,
Dec 19, 2021, 5:32:16 PM12/19/21
to jackson-announce, jackson-user
Jackson patch releases

* 2.12.6: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12.6
* 2.13.1: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.1

were just released. In addition to the usual "it is good to use the
latest patch", there is one additional reason for upgrade -- there is
a fix to one CVE-related bug:

https://github.com/FasterXML/jackson-databind/issues/3328

which:

1. Is ALMOST 100% NOT AFFECTING YOU IN ANY WAY wrt security, BUT
2. All the "security scanning" tools will quickly start reporting this
as a world-ending catastrophe to be avoided (and thankfully they found
it)

The issue itself fixed is explained in that Github issue and ONLY
affects you if:

1. You (or one of deps) uses _JDK serialization_ for
serialization/deserialization Jackson types (some caching frameworks
might)
2. Value being serialized/deserialized is of type `JsonNode`
3. Jackson version used is 2.10.0 - 2.13.0 (but not 2.12.6, 2.13.1)
4. Attacker is able to replace binary serialization of JsonNode (or
provide one) to your code, and craft a "poison pill" payload

If you happen to have all of the above, the consequence is that the
attacker can induce up to 2 gig transient heap usage per read.

And just to make sure: there is absolutely no issue when using
`JsonNode` in normal ways; reading/writing JSON (and other formats)
using `ObjectMapper`.
This ONLY AFFECTS JDK serialization (ObjectOutputStream, ObjectInputStream).

Happy Holidays,

-+ Tatu +-
Reply all
Reply to author
Forward
0 new messages