CVE-2022-42003 Databind before 2.14.0-rc1 can exhaust resources when UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
This results in excessive calls to primitive value deserializers, which can lead to resource exhaustion. If UNWRAP_SINGLE_VALUE_ARRAYS is disabled and resource exhaustion occurs, the process can hang. This can be mitigated by enabling the following primitive value deserializers configuration option: primitive: -XX:+DisableExplicitGCHeapConverters Note that this option can be configured only on a per-class basis. This issue has been resolved in jackson-databind 2.14.0-rc1. Fix available in 2.14.0-rc2.
Prior to version 2.14.0, resource exhaustion can occur in jackson-databind due to a race condition in the internal data cache when deserializing arrays with primitive types. This issue has been resolved in jackson-databind 2.14.0.
Before version 2.14.0, when using a DataGenerator and iterating over a primitive value, resource exhaustion can occur if the DataGenerator does not perform a full serialization of the primitive value. This issue has been resolved in jackson-databind 2.14.0.
Prior to version 2.12.0, resource exhaustion can occur in jackson-databind due to a race condition in the internal data cache when deserializing arrays with primitive types. This issue has been resolved in jackson-databind
How to fix code issues
If you're experiencing any of these issues, check your code for the following:
- Unwrap primitive arrays without a wrapper.
- Use the DataGenerator API to generate objects that wrap arrays with primitive types.
Instability and High CPU Usage in the EventHandler
This issue has been resolved in jackson-databind 2.14.0-rc2. Fix available in 2.14.0-rc3
How to reproduce command line actions
The following command line actions can be reproduced:
1) java org.apache.commons.databind.EmbeddedObject -classpath /tmp/jars/jackson-databind-2.14.0-rc1.jar -cp /tmp/jars/jackson-databind-2.14.0-rc1.jar:/tmp/obj ializations -propertyFile /tmp/prop erties
2) java org.apache.commons.databind -classpath /tmp/jars/jackson-databind-2.14.0-rc1 -cp /tmp/jars/jackson-databind-2.14 .0-rc1:/tmp/classes -propertyFile /tmp/propertie s
What is the Apache Jackrabbit Project?
The Apache Jackrabbit project is a community that focuses on enterprise software. This software includes Java API libraries, frameworks and applications.
Timeline
Published on: 10/02/2022 05:15:00 UTC
Last modified on: 10/04/2022 18:56:00 UTC