Possible DoS if using JDK serialization to serialize `JsonNode` [CVE-2021-46877]

[cowtowncoder]

There is a report on possible DoS attack, against certain versions of Jackson 2.10.x - 2.13.x (does not affect earlier versions like 2.9, nor future 2.14 and 3.0).

CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-46877

Fix has been included in versions:

• 2.12.6
• 2.13.1

No current plans to back-porting into 2.10 or 2.11 branches (2.9 and earlier not affected).

---

CVE description

Applicability

The vulnerability is available only when using JDK serialization to serialize, deserialize JsonNode values: this is not something most users ever do, nor is it recommended for general usage.

So, any other use of JsonNode is completely unrelated to the reported CVE: this ONLY APPLIES WITH JDK SERIALIZATION.

Example

So how does one use JDK Serialization with Jackson's JsonNode?

Example of such usage (copied from test NodeJDKSerializationTest.java) is:

ObjectNode root = MAPPER.createObjectNode();
root.put("answer", 42);
// Instead of usual "write as JSON" (using "node.toString()" or serialize using ObjectMapper)
// something wants to use JDK serialization: some caching frameworks do this

ByteArrayOutputStream bytes = new ByteArrayOutputStream();
ObjectOutputStream obOut = new ObjectOutputStream(bytes);
obOut.writeObject(root);
obOut.close();
byte[] jdkSer = bytes.toByteArray();

// and somewhere something wants to read it back like so:
ObjectInputStream objIn = new ObjectInputStream(new ByteArrayInputStream(jdkSer));
ObjectNode fromSer = (ObjectNode) objIn.readObject();

// ^^^^ to cause DoD, attacker would need to produce a specifically changed version of
//    payload!

The issue with JDK serialization is due to combination of format used and original code (see class NodeSerialization for details).

First: JsonNode is serialized as a sequence of bytes where first 4 bytes indicate length of actual content; and contents are JSON serialization itself. When reading it back (JDK deserialization) length is read first, original code allocates a byte[] with that size, and then contents are read. This works, functionally speaking.

But if attacker provides, instead, a payload that contains only 4-byte length, with value of Integer.MAX_VALUE, then decoder will:

1. Read the length
2. Allocate 2 gig byte[] array
3. If it succeeds, try to read contents, fail

The problem here is that during step (2), a large buffer allocation may well run process out of (heap) memory -- especially so if attacker manages to inject multiple broken messages.

Fix is to avoid eager allocation of big buffers and only allocate buffers as needed, along reading of the payload.

[plokhotnyuk]

@cowtowncoder Please contact me if it will require any help with a fix implementation.

[cowtowncoder]

@plokhotnyuk Thank you. I think I know how to handle this as it is sort of similar to some issues with CBOR/Smile codecs. But if you are interested and have time, I would definitely accept help!

Since I do not want to publicly disclose details yet, could you email me (tatu at fasterxml dot com) and I can share the details, as well as my idea of the fix?
Or if you want to join:

https://groups.google.com/g/jackson-dev-infosec

I can share details there as well?

[cowtowncoder]

Fix implemented, fwtw; backported for inclusion in:

• 2.12.6 (released 15-Dec-2021)
• 2.13.1

[freemanzMrojo]

@cowtowncoder do you have an estimation about when this fix is gonna be released in those versions? Thanks in advance.

[jphelp32]

@cowtowncoder do you plan to fix this for 2.11?

[cowtowncoder]

@freemanzMrojo Hoping to release 2.12.6 some time this week; 2.13.1 at earlier this weekend but we'll see. My non-paid OSS work time is severely limited these days, and esp. so on holiday times.

@jphelp32 No, neither 2.11 nor 2.10.

I'll add a note to mention that this only affects versions 2.10.0 + (2.9.x and earlier not affected).
Also worth note: it is very unlikely this actually affects anyone; but I can only explain why after patch is released.

[beedle-]

Hi @cowtowncoder , thanks a lot for your work.
I don't see the 2.14.0 artifact in maven central, any idea why it's not available ?

[yawkat]

@beedle- there is no 2.14 release yet.

[devkhatri9]

@cowtowncoder Because of vulnerability in jackson databind 2.12.5 version, I have been assigned the task to fix this issue asap,
can you please give me an estimate , when you are planning to release version 2.12.6 and 2.13.1.
If it doesn't get fixed by this week, I might have to use some alternative jar.

Thanks in advance