Jackson patch releases
* 2.12.6: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12.6
* 2.13.1: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.1
were just released. In addition to the usual "it is good to use the
latest patch", there is one additional reason for upgrade -- there is
a fix to one CVE-related bug:
https://github.com/FasterXML/jackson-databind/issues/3328
which:
1. Is ALMOST 100% NOT AFFECTING YOU IN ANY WAY wrt security, BUT
2. All the "security scanning" tools will quickly start reporting this
as a world-ending catastrophe to be avoided (and thankfully they found
it)
The issue itself fixed is explained in that Github issue and ONLY
affects you if:
1. You (or one of deps) uses _JDK serialization_ for
serialization/deserialization Jackson types (some caching frameworks
might)
2. Value being serialized/deserialized is of type `JsonNode`
3. Jackson version used is 2.10.0 - 2.13.0 (but not 2.12.6, 2.13.1)
4. Attacker is able to replace binary serialization of JsonNode (or
provide one) to your code, and craft a "poison pill" payload
If you happen to have all of the above, the consequence is that the
attacker can induce up to 2 gig transient heap usage per read.
And just to make sure: there is absolutely no issue when using
`JsonNode` in normal ways; reading/writing JSON (and other formats)
using `ObjectMapper`.
This ONLY AFFECTS JDK serialization (ObjectOutputStream, ObjectInputStream).
Happy Holidays,
-+ Tatu +-
--
You received this message because you are subscribed to the Google Groups
"jackson-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jackson-user/CAL4a10i1RwtR_F9D%3DtfvDQfr3wbGpOp%3DQdV5Yjkg_%3DEBH612nw%40mail.gmail.com.
