Jackson-core and Jackson-databind security audit2nd November, 2022
Ada Logics recently carried out a security audit of Jackson-core and Jackson-databind. Jackson-core and Jackson-databind are libraries that offer a series of features related to data parsing and databinding.
Goals of the audit
The security review had a holistic approach and had several high level goals. First, we formalised a threat model of both libraries, which identified the most commonly used methods dealing with untrusted data. The threat model is meant to be belpful to Jackson maintainers, contributors, users, as well as security researchers that wish to contribute to the continued security of both projects. Next, Ada Logics improved the fuzzing suites of both projects which relied on the threat model to target the most critical methods. This part was especially rewarding and resulted in several high-severity findings. Finally we did a manual audit which found that ongoing security work of the projects was clearly visible and found a few issues that could put users at risk if the particular components were used insecurely.
The audit found 12 issues ranging in severity from informational to high. The most notable findings were two CVEs of high severity:
The two CVEs both had root cause in recursive stack overflows that could crash the application in which Jackcson was running. Two similar issues were found, but these were assessed to have such a rare use case - if any at all - that CVEs were not assigned.
We would like to thank Jackson maintainer Tatu Saloranta for the cooperation - and for maintaining a vital piece of global critical infrastructure - and OSTIF for facilitating the security audit.