jackson-modules-java8 icon indicating copy to clipboard operation
jackson-modules-java8 copied to clipboard

Published 20 hours ago verified publisher icon FasterXML

More issues like CVE-2018-1000873

Open GFriedrich opened this issue 5 years ago • 3 comments

This is a followup for #90 I've just read about CVE-2018-1000873 and found more issues like these that result in a possible DoS where used within a service. To make it more plastic, I've decided to create a table for this (feel free to split up the ticket to jackson-core too - I didn't want to create tickets in several projects at once):

Target Type/Parsed Value 10000000e10000000 1000...000 1000...000.0
Integer :ok: #488 / :ok: :ok: / :ok:
Long :ok: #488 / :ok: :ok: / :ok:
Float/Double :ok: #488 / :ok: :ok: / :ok:
Number :ok: :x: / :ok:* :ok:* / :ok:*
BigInteger :ok: :x: / :x: :x: / :x:
BigDecimal :ok: :x: / :x: :x: / :x:
Instant #90 #488 / :ok: :x: / :x:
Duration #90 #488 / :ok: :x: / :ok:

:ok: = not affected (those with * may be affected when using USE_BIG_DECIMAL_FOR_FLOATS or USE_BIG_INTEGER_FOR_INTS as deserialization feature) #XXX = fixed via the given ticket :x: = still vulnerable Those columns that have two values are using different code path for native numbers (first value) or numbers that are handed over as string (second value).

So as you can see, there are still several possible attack vectors. I'm aware that you most probably don't want to change those for Number, BigInteger and BigDecimal as this may result in reduced precision. But you need to make clear for developers at some place, that using these types may result in a possible degradation of service. What I'm worried most about are those open issues for Instant (and those using the same deserializer) and Duration. I think those need to get fixed sooner than later.

(I don't guarantee that this list is complete nor that it is correct, as most of the value were written down after reading the code - only some of them have been checked.)

GFriedrich avatar Jan 10 '19 21:01 GFriedrich

Thank you for listing potential vulnerabilities. I am not really sure what to do here, to be honest. But maybe someone has concrete suggestions. I do think that actual work will need to be split, and in most cases would end up either in jackson-databind (for Number deserialization, if any), or this module for Instant, Duration.

cowtowncoder avatar Jan 11 '19 06:01 cowtowncoder

Jsoniter-scala when parsing BigDecimal checks two configurable limits which have safe defaults: 1st one is for the number of significant digits and a 2nd one for the scale.

plokhotnyuk avatar Jan 11 '19 08:01 plokhotnyuk

Would probably be good to update wrt 2.10.0, as some of the cases have been handled. But not quite sure how to verify/update.

cowtowncoder avatar Oct 09 '19 06:10 cowtowncoder

I think this:

https://github.com/FasterXML/jackson-core/pull/827

to be included in 2.15.0 will actually solve issues listed here, so closing.

cowtowncoder avatar Jan 06 '23 03:01 cowtowncoder