[jira] [Commented] (CASSANDRA-17966) jackson-databind vulnerability CVE-2022-42003 CVE-2022-42004

Mon, 17 Oct 2022 08:42:10 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17618965#comment-17618965
 ] 

Brandon Williams commented on CASSANDRA-17966:
----------------------------------------------

CVE-2022-42004 looks like we can suppress:
{quote}
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur 
because of a lack of a check in BeanDeserializer._deserializeFromArray to 
prevent use of deeply nested arrays. An application is vulnerable only with 
certain customized choices for deserialization.
{quote}

CVE-2022-42003 looks quite similar:
{quote}
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur 
because of a lack of a check in primitive value deserializers to avoid deep 
wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. 
{quote}

I don't think either of these are worth upgrading for and I'm not keen on 
upgrading to an RC version anyway, so patches to suppress:

||Branch||CI||
|[3.11|https://github.com/driftx/cassandra/tree/CASSANDRA-17966-3.11]|[circle|https://app.circleci.com/pipelines/github/driftx/cassandra/665/workflows/b647a7bb-fc55-4022-881d-a31731258ee2]|
|[4.0|https://github.com/driftx/cassandra/tree/CASSANDRA-17966-4.0]|[circle|https://app.circleci.com/pipelines/github/driftx/cassandra/667/workflows/40d9af0c-ba79-4482-a1d8-f9c7f81441f4]|
|[4.1|https://github.com/driftx/cassandra/tree/CASSANDRA-17966-4.1]|[circle|https://app.circleci.com/pipelines/github/driftx/cassandra/664/workflows/e55f85c0-63d4-420c-8f4a-3ea94fa88fd5]|
|[trunk|https://github.com/driftx/cassandra/tree/CASSANDRA-17966-trunk]|[circle|https://app.circleci.com/pipelines/github/driftx/cassandra/666/workflows/dfeb2502-8e51-4f1a-86fb-112a817ed2b5]


> jackson-databind vulnerability CVE-2022-42003 CVE-2022-42004
> ------------------------------------------------------------
>
>                 Key: CASSANDRA-17966
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17966
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Dependencies
>            Reporter: Brandon Williams
>            Assignee: Brandon Williams
>            Priority: Normal
>             Fix For: 3.11.x, 4.0.x, 4.1-beta2, 4.x
>
>
> As the summary says, jackson-databind 2.13.2.2 which was upgraded for a 
> vulnerability in CASSANDRA-17556 is vulnerable again.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to