You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flume.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2023/04/17 15:21:00 UTC

[jira] [Assigned] (FLUME-3469) Fix jackson core vulnerability fasterxml.jackson.version 2.13.2

     [ https://issues.apache.org/jira/browse/FLUME-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ralph Goers reassigned FLUME-3469:
----------------------------------

    Assignee: Deepak Garg

> Fix jackson core vulnerability fasterxml.jackson.version 2.13.2
> ---------------------------------------------------------------
>
>                 Key: FLUME-3469
>                 URL: https://issues.apache.org/jira/browse/FLUME-3469
>             Project: Flume
>          Issue Type: Improvement
>         Environment: RHEL 7
> Hadoop3
> Flume 1.11.0
>            Reporter: Deepak Garg
>            Assignee: Deepak Garg
>            Priority: Major
>              Labels: pull-request-available
>
> *2.13.2 is vulnerable. It has to be upgraded to  2.15.0-rc1.*
> *Security Vulnerability Details*
> *Explanation*
> The {{jackson-core}} package is vulnerable to a Denial of Service (DoS) attack. The methods in the classes listed below fail to restrict input size when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values. Deserializing many of the aforementioned objects may cause the application to exhaust all available resources, resulting in a DoS condition.
> {_}Vulnerable File(s) and Function(s){_}:
> com/fasterxml/jackson/core/base/ParserBase.class
>  * _parseSlowInt()
>  * convertNumberToBigDecimal()
> com/fasterxml/jackson/core/base/ParserMinimalBase.class
>  * getValueAsDouble()
> com/fasterxml/jackson/core/util/TextBuffer.class
>  * contentsAsDecimal()
>  * contentsAsDouble()
>  * contentsAsFloat()
> *Detection*
> The application is vulnerable by using this component if it does not restrict user-supplied numeric input values prior to deserialization.
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
> Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
> *Version Affected*
> [2.0.0-RC1,2.14.2]
> *Root Cause*
> jackson-core-2.13.2.jarcom/fasterxml/jackson/core/base/ParserBase.class( , 2.15.0-rc1)
> jackson-core-2.13.2.jarcom/fasterxml/jackson/core/base/ParserMinimalBase.class( , 2.15.0-rc1)
> jackson-core-2.13.2.jarcom/fasterxml/jackson/core/util/TextBuffer.class( , 2.15.0-rc1)
> *Advisories*
> Project[https://github.com/FasterXML/jackson-core/pull/827]
> Project[https://github.com/FasterXML/jackson-core/pull/846]
> *CVSS Details*
> Sonatype CVSS 37.5
> CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@flume.apache.org
For additional commands, e-mail: issues-help@flume.apache.org