PRISMA-2023-0067 Jackson Number Parse DoS. Analysis of vulnerability
Description
is continued by
is defined by
Checklist
hideTestRail: Results
Activity
Julian Ladisch January 24, 2024 at 10:43 PM
mod-data-export-spring: The upgrade to Spring Boot 3.1.4 has upgraded Jackson to the fixed version 2.15.2: https://github.com/folio-org/mod-data-export-spring/pull/274/files
mod-data-export-worker: The upgrade to Spring Boot 3.1.4 has upgraded Jackson to the fixed version 2.15.2: https://github.com/folio-org/mod-data-export-worker/pull/490/files
mod-bulk-operations: The upgrade to Spring Boot 3.1.4 has upgraded Jackson to the fixed version 2.15.2: https://github.com/folio-org/mod-bulk-operations/pull/135/files
mod-service-interaction: Will get fixed when upgrading from Grails 5 to Grails 6: https://folio-org.atlassian.net/browse/ERM-3111
Craig McNally November 16, 2023 at 2:05 PMEdited
FYI: Just updated description with the following additional modules:
mod-data-export-spring Firebird
mod-data-export-worker Firebird
mod-bulk-operations Firebird
mod-service-interaction K-Int
I don't think any of them are affected, but included them for completeness.
Craig McNally November 9, 2023 at 4:27 PM
We need to take a look at whether the edge modules are affected by this.
Julian Ladisch November 3, 2023 at 1:32 PM
I suggest to close this as won't do. An attacker requires a valid login to send malicous JSON to an affected module and can only cause denial of service.
mod-login doesn't require a valid login but mod-login has bumped to jackson-core 2.15.0 since mod-login version 7.9.0 released February 2023.
Julian Ladisch November 3, 2023 at 1:07 PM
The same for Okapi:
Okapi v5.1.0 upgraded from Vert.x 4.3.x to 4.4.5: https://github.com/folio-org/okapi/releases/tag/v5.1.0
Details
Assignee
UnassignedUnassignedReporter
DenisDenisPriority
P2RCA Group
TBDTestRail: Cases
Open TestRail: CasesTestRail: Runs
Open TestRail: Runs
Details
Details
Assignee
Reporter
Priority
P2
com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS). The package does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended and leads to Uncontrolled Resource Consumption (\'Resource Exhaustion\').
See https://github.com/FasterXML/jackson-core/pull/827 - "Add numeric value size limits via StreamReadConstraints (fixes sonatype-2022-6438) – default 1000 chars"
Severity: High
PRISMA-2023-0067
Modules Impacted:
mod-oai-pmh Firebird
edge-oai-pmh Firebird - 2.7.0 affected - (https://folio-org.atlassian.net/browse/EDGOAIPMH-108#icft=EDGOAIPMH-108)
mod-data-export Firebird
mod-source-record-storage Folijet
mod-source-record-manager Folijet
mod-data-import Folijet
mod-inventory Folijet
mod-erm-usage-harvester Leipzig
edge-connexion Mjolnir - 1.1.0 affected - (https://folio-org.atlassian.net/browse/EDGCONX-37#icft=EDGCONX-37)
mod-inventory-storage Spitfire
edge-rtac TBD - 2.6.0 affected - 2.6.1 fixed
mod-rtac TBD
mod-courses Thor
mod-settings Thor
mod-finance-storage Thunderjet
mod-organizations-storage Thunderjet
mod-orders-storage Thunderjet
mod-invoice-storage Thunderjet
mod-organizations Thunderjet
mod-finance Thunderjet
mod-orders Thunderjet
mod-invoice Thunderjet
mod-gobi Thunderjet
edge-orders Thunderjet - 2.9.0 affected - (https://folio-org.atlassian.net/browse/EDGORDERS-78#icft=EDGORDERS-78)
mod-circulation-storage Vega
mod-patron-blocks Vega
mod-feesfines Vega
mod-circulation Vega
mod-patron Vega
edge-patron Vega - 5.0.0 affected - 5.0.1 fixed
mod-event-config Volaris
mod-users Volaris
mod-email Volaris
mod-users-bl Volaris
mod-notify Volaris
mod-audit Volaris
edge-sip2 Volaris - 3.1.0 affected - 3.1.1 fixed
mod-sender Volaris
mod-licenses Bienenvolk (fka ERM)
mod-data-export-spring Firebird
mod-data-export-worker Firebird
mod-bulk-operations Firebird
mod-service-interaction K-Int