We’re excited to report the results for the security audits of Jackson-Core and Jackson-Databind. Jackson-Core and Jackson-Databind are Java projects that are widely adopted for parsing and binding data. The security review was facilitated by Open Source Technology Improvement Fund backed by the OpenSSF and carried out by Adalogics.
The goal of security audits is to find vulnerabilities so they can be fixed before attackers exploit them, as well as to identify opportunities to harden a project’s implementation and processes to counter vulnerabilities in the future. The Jackson team demonstrated a strong commitment to improving security posture by requesting independent review and actively participating in the audit process.
The results of the security audit are 12 security findings (3 High, 5 Medium, 4 Low/Informational). In addition, the team at Adalogics built 10 new fuzzers (4 for Jackson-core and 6 for Jackson-databind) which led to eight new bugs being discovered. These fuzzers will run on ossfuzz for Jackson before every release, giving Jackson a long-term security benefit.
The two most notable issues are CVE-2022-42003 and CVE-2022-42004.
CVE-2022-42003 Resource Exhaustion via UNWRAP_SINGLE_VALUE_ARRAYS
An unchecked deserializer could be abused to exhaust resources via nesting arrays, causing a denial of service.
CVE-2022-42004 Resource Exhaustion via BeanDeserializer._deserializeFromArray
An unchecked deserializer could be abused to exhaust resources via nesting arrays, causing a denial of service. This bug has a more limited impact because it requires specific settings to be manually enabled in order to be exploitable.
The remaining high severity issue was an edge case that Adalogics and the Jackson team assessed has no use cases that are exploitable.
All of the serious issues identified through this engagement have been fixed and validated by the Adalogics team. See below for the full report.
A big thank you to the Open Software Security Foundation for supporting the work and funding the audit. Furthermore, thank you to the Adalogics team for executing the audit and working with us to make and validate fixes. Also, thank you to the Secure Open Source initiative for helping to compensate the Jackson team for their extensive work improving these projects.
Also special thanks to Tatu Salorenta, Adam Korczynski, and David Korczynski for their roles in the engagement.
Let’s Do More to Make Open Source Better
Proactive security audits go a long way in detecting and fixing vulnerabilities. Everyone around the world depends on OSS, and we would love to do more security audits! If you’re interested in financially supporting this work, contact [email protected].
Link to full report: https://ostif.org/wp-content/uploads/2022/11/Jackson-Report-Shared.pdf