CVE-2022-42003 - vulnerability in jackson-databind 2.13.4

[domule]

CVE-2022-42003 has been reported against jackson-databind in version 2.13.4, which is currently used by Spring Boot 2.7.4:

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

The only fix available is currently in 2.14.0-rc1; a final has not yet been released.

[wilkinsona]

Spring Boot isn't affected as UNWRAP_SINGLE_VALUE_ARRAYS is disabled by default and our auto-configuration of Jackson does do not enable it. You should review your own application code and see if you're enabling the vulnerable feature and handling untrusted input. If you are, you can either disable the feature and adapt to the change in behavior or you can upgrade Jackson using the jackson.version property.

Jackson 2.14 will be become the default version of Jackson in Spring Boot 3.0 if it reaches GA before our RC1 release later this month.

[OrangeDog]

Jackson 2.13.4.1 is now available, which fixes this issue for those who have enabled the feature.

<jackson-bom.version>2.13.4.20221012</jackson-bom.version>

[wilkinsona]

Thanks, @OrangeDog. Unfortunately 2.13.4.1 is broken for Gradle users at the moment (FasterXML/jackson-databind#3627) so we can't upgrade in Boot just yet. Anyone using Gradle who really wants to use 2.13.4.1 may be able to do so by adapting the workarounds in this issue.

[mrrobbins]

2.3.14.2 is now available with purported fix for Gradle https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13#micro-patches

[ThomHurks]

@wilkinsona jackson-bom version 2.13.4.20221013 includes jackson-databind version 2.13.4.2 which fixes the Gradle issue, in case you would like to include it in the upcoming Spring Boot 2.7.x patch release.

[snicoll]

@ThomHurks thanks but that's already done.

[ThomHurks]

Ah, apologies. Thanks!