Bug 2185707 (CVE-2021-46877) - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
Summary: CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to s...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-46877
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2187369 2185708 2185709 2185711
Blocks: 2179731
TreeView+ depends on / blocked
 
Reported: 2023-04-11 04:16 UTC by Sandipan Roy
Modified: 2023-08-16 10:56 UTC (History)
119 users (show)

Fixed In Version: jackson-databind 2.13.1, jackson-databind 2.12.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
Clone Of:
Environment:
Last Closed: 2023-05-18 15:41:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3223 0 None None None 2023-05-18 09:54:46 UTC
Red Hat Product Errata RHSA-2023:3299 0 None None None 2023-05-24 17:11:20 UTC
Red Hat Product Errata RHSA-2023:3373 0 None None None 2023-05-31 11:44:52 UTC
Red Hat Product Errata RHSA-2023:3610 0 None None None 2023-06-15 00:15:13 UTC
Red Hat Product Errata RHSA-2023:3815 0 None None None 2023-06-27 11:29:18 UTC
Red Hat Product Errata RHSA-2023:4505 0 None None None 2023-08-07 15:15:04 UTC
Red Hat Product Errata RHSA-2023:4506 0 None None None 2023-08-07 15:15:42 UTC
Red Hat Product Errata RHSA-2023:4507 0 None None None 2023-08-07 15:16:46 UTC
Red Hat Product Errata RHSA-2023:4509 0 None None None 2023-08-07 15:02:28 UTC
Red Hat Product Errata RHSA-2023:4612 0 None None None 2023-08-16 10:56:20 UTC
Red Hat Product Errata RHSA-2023:4627 0 None None None 2023-08-14 01:03:00 UTC

Description Sandipan Roy 2023-04-11 04:16:46 UTC 
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

https://github.com/FasterXML/jackson-databind/issues/3328
https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
Comment 2 Sandipan Roy 2023-04-11 04:22:51 UTC 
Created jackson-databind tracking bugs for this issue:

Affects: fedora-36 [bug 2185709]
Affects: fedora-37 [bug 2185711]
Comment 12 errata-xmlrpc 2023-05-18 09:54:40 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.4.0

Via RHSA-2023:3223 https://access.redhat.com/errata/RHSA-2023:3223
Comment 13 Product Security DevOps Team 2023-05-18 15:41:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-46877
Comment 14 errata-xmlrpc 2023-05-24 17:11:14 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299
Comment 15 errata-xmlrpc 2023-05-31 11:44:44 UTC 
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2023:3373 https://access.redhat.com/errata/RHSA-2023:3373
Comment 16 errata-xmlrpc 2023-06-15 00:15:04 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2023:3610 https://access.redhat.com/errata/RHSA-2023:3610
Comment 17 errata-xmlrpc 2023-06-27 11:29:10 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.4.3 GA

Via RHSA-2023:3815 https://access.redhat.com/errata/RHSA-2023:3815
Comment 18 errata-xmlrpc 2023-08-07 15:02:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2023:4509 https://access.redhat.com/errata/RHSA-2023:4509
Comment 19 errata-xmlrpc 2023-08-07 15:14:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:4505 https://access.redhat.com/errata/RHSA-2023:4505
Comment 20 errata-xmlrpc 2023-08-07 15:15:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:4506 https://access.redhat.com/errata/RHSA-2023:4506
Comment 21 errata-xmlrpc 2023-08-07 15:16:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:4507 https://access.redhat.com/errata/RHSA-2023:4507
Comment 22 errata-xmlrpc 2023-08-14 01:02:52 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 23 errata-xmlrpc 2023-08-16 10:56:11 UTC 
This issue has been addressed in the following products:

  Red Hat support for Spring Boot 2.7.13

Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612
Note You need to log in before you can comment on or make changes to this bug.