[
https://issues.apache.org/jira/browse/TINKERPOP-2678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17469621#comment-17469621
]
Stephen Mallette commented on TINKERPOP-2678:
---------------------------------------------
thanks for reporting this. we are in the middle of a release and thus somewhat
hesitant to try to move minor dependency versions. You wrote this as "medium
level" and as I read the issue it seems like it only applies when: "The
vulnerability is available only when using JDK serialization to serialize,
deserialize JsonNode values" which i dont think we do. It feels like we could
delay adding this fix until next release. If anyone thinks otherwise, please
feel free to say so.
> jackson-databind medium security issue identified
> -------------------------------------------------
>
> Key: TINKERPOP-2678
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2678
> Project: TinkerPop
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.5.0
> Reporter: Aaron Coady
> Priority: Major
>
> com.fasterxml.jackson.core_jackson-databind version 2.11.3 has this security
> issue identified. The resolution is in versions 2.14, 2.13.1 and 2.12.6
>
> [https://github.com/FasterXML/jackson-databind/issues/3328]
>
> Issue summary:
> jackson-databind in certain versions from 2.10 is vulnerable to DoS attack,
> only when using JDK serialization to serialize, deserialize JsonNode values.
> An attacker can provide a 4-byte length payload, with the value of
> Integer.MAX_VALUE, that will cause the decoder to allocate a large buffer
> leading to out of heap memory - especially so if the attacker manages to
> inject multiple broken messages.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
