Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-2279

json-patch pulls in vulnerable guava

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 4.3.0.Final, 3.9.0.Final
    • None
    • None
    • None

    Description

      json-patch pulls in vulnerable guava
      json-patch 1.9 is from Nov 2014 - https://mvnrepository.com/artifact/com.github.fge/json-patch

      In WF guava version is overriden but in other projects this strict rules may not be applied or all the deps are not controlled.

      Info from snyk.io:

      Deserialization of Untrusted Data 
Vulnerable module: com.google.guava:guava
Introduced through: com.github.fge:json-patch@1.9
Detailed paths
Introduced through: org.jboss.resteasy:resteasy-jackson2-provider@4.1.0-SNAPSHOT › com.github.fge:json-patch@1.9 › com.github.fge:jackson-coreutils@1.6 › com.google.guava:guava@16.0.1
Overview
com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data.

During deserialization, two Guava classes accept a caller-specified size parameter and eagerly allocate an array of that size:

AtomicDoubleArray (when serialized with Java serialization)
CompoundOrdering (when serialized with GWT serialization)
An attacker may be able to send a specially crafted request which with then cause the server to allocate all it's memory, without validation whether the data size is reasonable.

      Attachments

        Activity

          People

            rhn-support-asoldano Alessio Soldano
            rsvoboda@redhat.com Rostislav Svoboda
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: