Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Mageia 9: 2024-0070 Moderate: jackson-databind RCE and DoS Issue

mageia
Calendar Grey March 16, 2024
Dist Mageia Esm H88
A security patch for Jackson-databind mitigates denial of service and resource exhaustion issues identified in Mageia.
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects

Summary

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. (CVE-2020-36518) In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. (CVE-2022-42003) In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. (CVE-2022-42004)

References

- https://bugs.mageia.org/show_bug.cgi?id=30368

- https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html

- https://lists.suse.com/pipermail/sle-security-updates/2022-May/011022.html

-

- https://lists.suse.com/pipermail/sle-security-updates/2022-November/012934.html

-

- https://lists.debian.org/debian-security-announce/2022/msg00254.html

- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html

- https://access.redhat.com/errata/RHSA-2023:2312

- https://www.cve.org/CVERecord?id=CVE-2020-36518

- https://www.cve.org/CVERecord?id=CVE-2022-42003

- https://www.cve.org/CVERecord?id=CVE-2022-42004

Topics%20covered

Topics Covered

security advisory denial of service remote code execution java resource exhaustion jackson-databind mageia

Resolution

SRPMS

- 9/core/jackson-databind-2.11.4-2.1.mga9

Publication date: 16 Mar 2024
URL: https://advisories.mageia.org/MGASA-2024-0069.html
Type: security
CVE: CVE-2020-36518, CVE-2022-42003, CVE-2022-42004

Topics%20covered

Topics Covered

security advisory denial of service remote code execution java resource exhaustion jackson-databind mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here