CVE-2022-42003
Resource Exhaustion vulnerability in jackson-databind (Maven)
What is CVE-2022-42003 About?
This vulnerability is a resource exhaustion issue in FasterXML jackson-databind. It stems from the lack of checks to prevent deep wrapper array nesting during deserialization when a specific feature is enabled, potentially leading to denial of service with crafted input. Exploiting this is moderately complex due to the requirement of enabling the feature and providing malicious data.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.13.0, <2.13.4.2
- >2.4.0-rc1, <2.12.7.1
Technical Details
The vulnerability affects FasterXML jackson-databind versions and originates from primitive value deserializers. When the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled, there's an absence of checks to prevent excessively deep nesting of wrapper arrays. An attacker can submit a JSON payload with a deeply nested array structure surrounding primitive values. This deep nesting causes the deserialization process to recursively consume significant system resources (e.g., stack memory) during processing, ultimately leading to resource exhaustion, which manifests as a denial of service condition for the application.
What is the Impact of CVE-2022-42003?
Successful exploitation may allow attackers to cause a denial of service, making the service unavailable to other users.
What is the Exploitability of CVE-2022-42003?
Exploitation requires interacting with an application that uses the vulnerable FasterXML jackson-databind library, specifically with the UNWRAP_SINGLE_VALUE_ARRAYS feature enabled. The complexity is moderate, as it involves crafting a JSON input with deeply nested wrapper arrays. No specific authentication or elevated privileges are required, provided the attacker can submit JSON data to the application. This is typically a remote attack. The primary constraint is the explicit enablement of the UNWRAP_SINGLE_VALUE_ARRAYS feature. Risk factors include exposing JSON deserialization endpoints to untrusted users and not implementing safeguards against deep recursion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-42003?
About the Fix from Resolved Security
The patch ensures that when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled, only a single level of array wrapping is permitted by explicitly checking for and rejecting nested arrays during deserialization. This prevents malicious input with deeply nested arrays from bypassing checks and triggering stack exhaustion or denial-of-service, thereby addressing CVE-2022-42003. The fix adds targeted checks and error handling to stop processing and raise an exception if additional array nesting is detected.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.4.0-rc1, <2.12.7.1 → Upgrade to 2.12.7.1
- com.fasterxml.jackson.core:jackson-databind
- >2.13.0, <2.13.4.2 → Upgrade to 2.13.4.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/jackson-databind/blob/2.13/release-notes/VERSION-2.x
- https://security.gentoo.org/glsa/202210-21
- https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33
- https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288
- https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45
- https://nvd.nist.gov/vuln/detail/CVE-2022-42003
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://github.com/FasterXML/jackson-databind/issues/3590
- https://github.com/FasterXML/jackson-databind/issues/3627
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
What are Similar Vulnerabilities to CVE-2022-42003?
Similar Vulnerabilities: CVE-2022-42004 , CVE-2023-1370 , CVE-2023-26144 , CVE-2023-25153 , CVE-2020-14195
