-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Performance issue with malicious BigDecimal
input, InstantDeserializer
, DurationDeserializer
(CVE-2018-1000873)
#90
Comments
(copied from above-mentioned original issue; comment by @plokhotnyuk) Current implementations of Below are results of benchmarks for different JSON parsers for Scala (including Jackson-module-scala) which are parametrized by the
To run them on your JDK:
|
BigDecimal
inputBigDecimal
input, InstantDeserializer
, DurationDeserializer
Fixed via #87, to be included in 2.9.8 and later. |
Any plans to get a CVE for this issue? If not, I can request one. |
@ddillard Not aware of one. If you can do that, that'd be helpful! |
@cowtowncoder Ok, I'll submit a request and post here when it's approved. Usually takes a few weeks to get one and given the holidays I wouldn't be surprised if takes a bit longer. |
Good news! Kurt got to this really quickly and this issue has been assigned CVE-2018-1000873. Should get published in the NVD in the next few days. |
BigDecimal
input, InstantDeserializer
, DurationDeserializer
BigDecimal
input, InstantDeserializer
, DurationDeserializer
(CVE-2018-1000873)
@cowtowncoder are there any plans to fix this CVE in the 2.8 branch and cut a new release there? I'd volunteer to submit a pull request as #87 didn't look too complex. However, I can't help with the release part. Thoughts? |
@datagitlies No plans to backport as I really want to close 2.8 branch and any time spent on releasing from pre-2.9 is away from limited amount of time I have for my OSS hobby. |
Upstream is not fixing this issue in 2.8.x we need to upgrade to at least >= 2.9.8. Ref FasterXML/jackson-modules-java8#90 (comment) RDM-3796
Upstream is not fixing this issue in 2.8.x we need to upgrade to at least >= 2.9.8. Ref FasterXML/jackson-modules-java8#90 (comment) RDM-3796
Upstream is not fixing this issue in 2.8.x we need to upgrade to at least >= 2.9.8. Ref FasterXML/jackson-modules-java8#90 (comment) RDM-3796
Upstream is not fixing this issue in 2.8.x we need to upgrade to at least >= 2.9.8. Ref FasterXML/jackson-modules-java8#90 (comment) RDM-3796
(note: moved from FasterXML/jackson-databind#2141 reported by @plokhotnyuk)
It looks the same as: playframework/play-json#180
Reproduced by the following commit: plokhotnyuk/jsoniter-scala@0d53faf
The security bug is in
InstantDeserializer
andDurationDeserializer
of thejackson-datatype-jsr310
artifact:W/A is to use custom serializers for all types that are parsed with
InstantDeserializer
andDurationDeserializer
by registering them after (or instead of) registration of theJavaTimeModule
module.The text was updated successfully, but these errors were encountered: