CGA-fgh7-phh7-cj6x
Denial of Service vulnerability in jackson-databind (Maven)
What is CGA-fgh7-phh7-cj6x About?
Jackson-databind versions 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 are vulnerable to a denial of service. This occurs in specific situations involving JsonNode JDK serialization, where processing can lead to a 2 GB transient heap usage per read. This vulnerability can be exploited by providing crafted input that triggers the inefficient serialization.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.10.0, <2.12.6
- >2.13.0, <2.13.1
Technical Details
The denial of service vulnerability in Jackson-databind arises under specific circumstances when handling JsonNode JDK serialization. When a specially crafted JSON input is processed, the library can be coerced into generating a transient heap allocation of approximately 2 GB for each read operation. This excessive memory consumption, despite occurring in 'uncommon situations,' can quickly exhaust available system memory, leading to an OutOfMemoryError and consequently a denial of service for applications using the vulnerable Jackson-databind versions. The attack vector focuses on the serialization mechanism rather than common parsing flows.
What is the Impact of CGA-fgh7-phh7-cj6x?
Successful exploitation may allow attackers to cause a denial of service, leading to resource exhaustion, application crashes, and service unavailability.
What is the Exploitability of CGA-fgh7-phh7-cj6x?
Exploitation complexity is moderate, as it requires crafting specific JSON input that triggers the 'uncommon situations' during JsonNode JDK serialization. No authentication or specific privileges are required beyond the ability to provide JSON input to the vulnerable application. This is typically a remote vulnerability, where an attacker sends the malicious JSON payload over a network. The primary constraint is the application's reliance on the affected Jackson-databind versions and its use of JsonNode JDK serialization in a way that can be influenced by untrusted input. Risk factors increase for applications exposing JSON-based APIs that deserialize complex data structures with Jackson-databind.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-fgh7-phh7-cj6x?
About the Fix from Resolved Security
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.10.0, <2.12.6 → Upgrade to 2.12.6
- com.fasterxml.jackson.core:jackson-databind
- >2.13.0, <2.13.1 → Upgrade to 2.13.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
- https://github.com/FasterXML/jackson-databind/issues/3328
- https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
- https://github.com/FasterXML/jackson-databind
- https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb
- https://osv.dev/vulnerability/GHSA-3x8x-79m2-3w2w
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12.6
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.1
- https://github.com/FasterXML/jackson-databind/issues/3328
- https://nvd.nist.gov/vuln/detail/CVE-2021-46877
What are Similar Vulnerabilities to CGA-fgh7-phh7-cj6x?
Similar Vulnerabilities: CVE-2018-1000613 , CVE-2019-12384 , CVE-2019-14540 , CVE-2020-24616 , CVE-2022-22965
