CVE-2018-1000873
Improper Input Validation vulnerability in jackson-datatype-jsr310 (Maven)
What is CVE-2018-1000873 About?
This Improper Input Validation vulnerability in Fasterxml Jackson-Databind can lead to a denial-of-service (DoS) condition. It is triggered by deserializing malicious input containing very large nanoseconds field values within a time value. Exploitation requires sending specially crafted data and can be easily achieved given the right conditions.
Affected Software
Technical Details
The Fasterxml Jackson-Databind library, in versions prior to 2.9.8, suffers from an Improper Input Validation vulnerability. When deserializing time values, particularly those with extremely large values specified in the nanoseconds field, the library fails to properly handle or limit the input. This malicious input causes excessive resource consumption, leading to a denial-of-service (DoS) condition. The attack vector involves an adversary providing a crafted JSON payload with an oversized nanoseconds field to a vulnerable deserialization endpoint using ObjectMapper.
What is the Impact of CVE-2018-1000873?
Successful exploitation may allow attackers to cause a denial-of-service condition, rendering the target application or system unresponsive and unavailable to legitimate users.
What is the Exploitability of CVE-2018-1000873?
Exploitation of this vulnerability involves submitting a malicious JSON payload with an overly large nanoseconds field in a time value to an application using a vulnerable version of Jackson-Databind. The complexity is low if an endpoint accepting time-based JSON input is exposed. There are no authentication or specific privilege requirements; an unauthenticated user capable of submitting JSON data to the application's API can trigger the flaw. This is a remote vulnerability, requiring network access to the application. The primary risk factor that increases exploitation likelihood is the exposure of an API endpoint that processes user-supplied JSON data, particularly time values.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1000873?
Available Upgrade Options
- com.fasterxml.jackson.datatype:jackson-datatype-jsr310
- <2.9.8 → Upgrade to 2.9.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-h4x4-5qp2-wp46
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://github.com/FasterXML/jackson-modules-java8/pull/87
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1665601
- https://security.netapp.com/advisory/ntap-20200904-0004/
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000873
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
What are Similar Vulnerabilities to CVE-2018-1000873?
Similar Vulnerabilities: CVE-2020-36518 , CVE-2020-28196 , CVE-2020-14195 , CVE-2019-14540 , CVE-2019-14735
