[
https://issues.apache.org/jira/browse/FLUME-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Deepak Garg updated FLUME-3469:
-------------------------------
Description:
*2.13.2 is vulnerable. It has to be upgraded to 2.15.0-rc1.*
*Security Vulnerability Details*
*Explanation*
The {{jackson-core}} package is vulnerable to a Denial of Service (DoS) attack.
The methods in the classes listed below fail to restrict input size when
performing numeric type conversions. A remote attacker can exploit this
vulnerability by causing the application to deserialize data containing certain
numeric types with large values. Deserializing many of the aforementioned
objects may cause the application to exhaust all available resources, resulting
in a DoS condition.
{_}Vulnerable File(s) and Function(s){_}:
com/fasterxml/jackson/core/base/ParserBase.class
* _parseSlowInt()
* convertNumberToBigDecimal()
com/fasterxml/jackson/core/base/ParserMinimalBase.class
* getValueAsDouble()
com/fasterxml/jackson/core/util/TextBuffer.class
* contentsAsDecimal()
* contentsAsDouble()
* contentsAsFloat()
*Detection*
The application is vulnerable by using this component if it does not restrict
user-supplied numeric input values prior to deserialization.
*Recommendation*
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Note: If this component is included as a bundled/transitive dependency of
another component, there may not be an upgrade path. In this instance, we
recommend contacting the maintainers who included the vulnerable package.
Alternatively, we recommend investigating alternative components or a potential
mitigating control.
*Version Affected*
[2.0.0-RC1,2.14.2]
*Root Cause*
jackson-core-2.13.2.jarcom/fasterxml/jackson/core/base/ParserBase.class( ,
2.15.0-rc1)
jackson-core-2.13.2.jarcom/fasterxml/jackson/core/base/ParserMinimalBase.class(
, 2.15.0-rc1)
jackson-core-2.13.2.jarcom/fasterxml/jackson/core/util/TextBuffer.class( ,
2.15.0-rc1)
*Advisories*
Project[https://github.com/FasterXML/jackson-core/pull/827]
Project[https://github.com/FasterXML/jackson-core/pull/846]
*CVSS Details*
Sonatype CVSS 37.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> Fix jackson core vulnerability fasterxml.jackson.version 2.13.2
> ---------------------------------------------------------------
>
> Key: FLUME-3469
> URL: https://issues.apache.org/jira/browse/FLUME-3469
> Project: Flume
> Issue Type: Improvement
> Environment: RHEL 7
> Hadoop3
> Flume 1.11.0
> Reporter: Deepak Garg
> Priority: Major
> Labels: pull-request-available
>
> *2.13.2 is vulnerable. It has to be upgraded to 2.15.0-rc1.*
> *Security Vulnerability Details*
> *Explanation*
> The {{jackson-core}} package is vulnerable to a Denial of Service (DoS)
> attack. The methods in the classes listed below fail to restrict input size
> when performing numeric type conversions. A remote attacker can exploit this
> vulnerability by causing the application to deserialize data containing
> certain numeric types with large values. Deserializing many of the
> aforementioned objects may cause the application to exhaust all available
> resources, resulting in a DoS condition.
> {_}Vulnerable File(s) and Function(s){_}:
> com/fasterxml/jackson/core/base/ParserBase.class
> * _parseSlowInt()
> * convertNumberToBigDecimal()
> com/fasterxml/jackson/core/base/ParserMinimalBase.class
> * getValueAsDouble()
> com/fasterxml/jackson/core/util/TextBuffer.class
> * contentsAsDecimal()
> * contentsAsDouble()
> * contentsAsFloat()
> *Detection*
> The application is vulnerable by using this component if it does not restrict
> user-supplied numeric input values prior to deserialization.
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Note: If this component is included as a bundled/transitive dependency of
> another component, there may not be an upgrade path. In this instance, we
> recommend contacting the maintainers who included the vulnerable package.
> Alternatively, we recommend investigating alternative components or a
> potential mitigating control.
> *Version Affected*
> [2.0.0-RC1,2.14.2]
> *Root Cause*
> jackson-core-2.13.2.jarcom/fasterxml/jackson/core/base/ParserBase.class( ,
> 2.15.0-rc1)
> jackson-core-2.13.2.jarcom/fasterxml/jackson/core/base/ParserMinimalBase.class(
> , 2.15.0-rc1)
> jackson-core-2.13.2.jarcom/fasterxml/jackson/core/util/TextBuffer.class( ,
> 2.15.0-rc1)
> *Advisories*
> Project[https://github.com/FasterXML/jackson-core/pull/827]
> Project[https://github.com/FasterXML/jackson-core/pull/846]
> *CVSS Details*
> Sonatype CVSS 37.5
> CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
