[
https://issues.apache.org/jira/browse/FLUME-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ralph Goers reassigned FLUME-3469:
----------------------------------
Assignee: Deepak Garg
> Fix jackson core vulnerability fasterxml.jackson.version 2.13.2
> ---------------------------------------------------------------
>
> Key: FLUME-3469
> URL: https://issues.apache.org/jira/browse/FLUME-3469
> Project: Flume
> Issue Type: Improvement
> Environment: RHEL 7
> Hadoop3
> Flume 1.11.0
> Reporter: Deepak Garg
> Assignee: Deepak Garg
> Priority: Major
> Labels: pull-request-available
>
> *2.13.2 is vulnerable. It has to be upgraded to 2.15.0-rc1.*
> *Security Vulnerability Details*
> *Explanation*
> The {{jackson-core}} package is vulnerable to a Denial of Service (DoS)
> attack. The methods in the classes listed below fail to restrict input size
> when performing numeric type conversions. A remote attacker can exploit this
> vulnerability by causing the application to deserialize data containing
> certain numeric types with large values. Deserializing many of the
> aforementioned objects may cause the application to exhaust all available
> resources, resulting in a DoS condition.
> {_}Vulnerable File(s) and Function(s){_}:
> com/fasterxml/jackson/core/base/ParserBase.class
> * _parseSlowInt()
> * convertNumberToBigDecimal()
> com/fasterxml/jackson/core/base/ParserMinimalBase.class
> * getValueAsDouble()
> com/fasterxml/jackson/core/util/TextBuffer.class
> * contentsAsDecimal()
> * contentsAsDouble()
> * contentsAsFloat()
> *Detection*
> The application is vulnerable by using this component if it does not restrict
> user-supplied numeric input values prior to deserialization.
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Note: If this component is included as a bundled/transitive dependency of
> another component, there may not be an upgrade path. In this instance, we
> recommend contacting the maintainers who included the vulnerable package.
> Alternatively, we recommend investigating alternative components or a
> potential mitigating control.
> *Version Affected*
> [2.0.0-RC1,2.14.2]
> *Root Cause*
> jackson-core-2.13.2.jarcom/fasterxml/jackson/core/base/ParserBase.class( ,
> 2.15.0-rc1)
> jackson-core-2.13.2.jarcom/fasterxml/jackson/core/base/ParserMinimalBase.class(
> , 2.15.0-rc1)
> jackson-core-2.13.2.jarcom/fasterxml/jackson/core/util/TextBuffer.class( ,
> 2.15.0-rc1)
> *Advisories*
> Project[https://github.com/FasterXML/jackson-core/pull/827]
> Project[https://github.com/FasterXML/jackson-core/pull/846]
> *CVSS Details*
> Sonatype CVSS 37.5
> CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
