CVE-2022-42004 - Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00261.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Fasterxml	Jackson-databind
Netapp	Oncommand Workflow Automation
Quarkus	Quarkus
Redhat	Amq Broker Amq Streams Camel Quarkus Camel Spring Boot Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Eus Jboss Enterprise Bpms Platform Logging Migration Toolkit Runtimes Ocp Tools Openshift Application Runtimes Quarkus Red Hat Single Sign On Rhosemc Satellite

Configuration 1 [-]

OR	cpe:2.3:a:fasterxml:jackson-databind::::::::
	cpe:2.3:a:fasterxml:jackson-databind::::::::

Configuration 2 [-]

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 [-]

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Logging subsystem for Red Hat OpenShift 5.4
openshift-logging/elasticsearch6-rhel8:v6.8.1-265	cpe:/a:redhat:logging:5.4::el8	RHSA-2022:7435	2022-11-16T00:00:00Z
openshift-logging/elasticsearch-operator-bundle:v5.4.8-11	cpe:/a:redhat:logging:5.4::el8	RHSA-2022:7435	2022-11-16T00:00:00Z
openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-300	cpe:/a:redhat:logging:5.4::el8	RHSA-2022:7435	2022-11-16T00:00:00Z
openshift-logging/elasticsearch-rhel8-operator:v5.4.8-3	cpe:/a:redhat:logging:5.4::el8	RHSA-2022:7435	2022-11-16T00:00:00Z
Migration Toolkit for Runtimes 1 on RHEL 8
jackson-databind	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2023:0471	2023-01-26T00:00:00Z
OCP-Tools-4.12-RHEL-8
jenkins-2-plugins-0:4.12.1675702407-1.el8	cpe:/a:redhat:ocp_tools:4.12::el8	RHSA-2023:1064	2023-03-06T00:00:00Z
OpenShift Developer Tools and Services for OCP 4.11
jenkins-2-plugins-0:4.11.1686831822-1.el8	cpe:/a:redhat:ocp_tools:4.11::el8	RHSA-2023:3663	2023-06-19T00:00:00Z
OpenShift Logging 5.3
openshift-logging/elasticsearch6-rhel8:v6.8.1-277	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:8889	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-operator-bundle:v5.3.14-16	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:8889	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-315	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:8889	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-rhel8-operator:v5.3.14-5	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:8889	2022-12-08T00:00:00Z
Red Hat AMQ Broker 7
jackson-databind	cpe:/a:redhat:amq_broker:7	RHSA-2022:8876	2022-12-07T00:00:00Z
Red Hat AMQ Streams 2.3.0
jackson-databind	cpe:/a:redhat:amq_streams:2	RHSA-2023:0189	2023-01-17T00:00:00Z
Red Hat AMQ Streams 2.4.0
	cpe:/a:redhat:amq_streams:2	RHSA-2023:3223	2023-05-18T00:00:00Z
Red Hat build of Eclipse Vert.x 4.3.4
jackson-databind	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:9032	2022-12-15T00:00:00Z
Red Hat build of Quarkus 2.13.5
jackson-databind	cpe:/a:redhat:quarkus:2.13	RHSA-2022:9023	2022-12-14T00:00:00Z
Red Hat build of Quarkus 2.7.7
	cpe:/a:redhat:quarkus:2.7	RHSA-2023:1006	2023-03-08T00:00:00Z
Red Hat Data Grid 8.4.1
jackson-databind	cpe:/a:redhat:jboss_data_grid:8	RHSA-2023:0713	2023-02-09T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7
jackson-databind	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2023:0556	2023-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2023:0553	2023-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2023:0554	2023-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2023:0552	2023-01-31T00:00:00Z
Red Hat Satellite 6.13 for RHEL 8
candlepin-0:4.2.13-1.el8sat	cpe:/a:redhat:satellite:6.13::el8	RHSA-2023:2097	2023-05-03T00:00:00Z
Red Hat Single Sign-On 7
jackson-databind	cpe:/a:redhat:red_hat_single_sign_on:7.6	RHSA-2023:1049	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2023:1043	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2023:1044	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2023:1045	2023-03-01T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-20	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:1047	2023-03-01T00:00:00Z
RHINT Camel-Q 2.13.2
jackson-databind	cpe:/a:redhat:camel_quarkus:2.13	RHSA-2023:0469	2023-01-26T00:00:00Z
RHINT Camel-Springboot 3.18.3.P2
jackson-databind	cpe:/a:redhat:camel_spring_boot:3.18	RHSA-2023:3641	2023-06-15T00:00:00Z
RHINT Camel-Springboot 3.20.1
jackson-databind	cpe:/a:redhat:camel_spring_boot:3.20.1	RHSA-2023:2100	2023-05-03T00:00:00Z
RHOL-5.5-RHEL-8
openshift-logging/elasticsearch6-rhel8:v6.8.1-273	cpe:/a:redhat:logging:5.5::el8	RHSA-2022:8781	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-operator-bundle:v5.5.5-14	cpe:/a:redhat:logging:5.5::el8	RHSA-2022:8781	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-311	cpe:/a:redhat:logging:5.5::el8	RHSA-2022:8781	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-rhel8-operator:v5.5.5-2	cpe:/a:redhat:logging:5.5::el8	RHSA-2022:8781	2022-12-08T00:00:00Z
RHOL-5.6-RHEL-8
openshift-logging/elasticsearch6-rhel8:v6.8.1-285	cpe:/a:redhat:logging:5.6::el8	RHSA-2023:0264	2023-01-19T00:00:00Z
RHPAM 7.13.1 async
jackson-databind	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2023:2135	2023-05-04T00:00:00Z

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-3207-1	jackson-databind security update
Debian DSA	DSA-5283-1	jackson-databind security update
EUVD	EUVD-2022-7159	In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Github GHSA	GHSA-rgv9-q543-rqg4	Uncontrolled Resource Consumption in FasterXML jackson-databind

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
https://github.com/FasterXML/jackson-databind/issues/3582
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://nvd.nist.gov/vuln/detail/CVE-2022-42004
https://security.gentoo.org/glsa/202210-21
https://security.netapp.com/advisory/ntap-20221118-0008/
https://www.cve.org/CVERecord?id=CVE-2022-42004
https://www.debian.org/security/2022/dsa-5283

History

Tue, 25 Feb 2025 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-02T00:00:00

Updated: 2024-08-03T12:56:39.182Z

Reserved: 2022-10-02T00:00:00

Link: CVE-2022-42004

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-02T05:15:09.237

Modified: 2024-11-21T07:24:15.277

Link: CVE-2022-42004

Redhat

Severity : Moderate

Publid Date: 2022-10-02T00:00:00Z

Links: CVE-2022-42004 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object