CVE-2022-42003
First published: Sun Oct 02 2022(Updated: )
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <2-plugins-0:4.11.1686831822-1.el8 | 2-plugins-0:4.11.1686831822-1.el8 |
| redhat/jenkins | <2-plugins-0:4.12.1675702407-1.el8 | 2-plugins-0:4.12.1675702407-1.el8 |
| redhat/eap7-jackson-databind | <0:2.12.7-1.redhat_00003.1.el8ea | 0:2.12.7-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-databind | <0:2.12.7-1.redhat_00003.1.el9ea | 0:2.12.7-1.redhat_00003.1.el9ea |
| redhat/eap7-jackson-databind | <0:2.12.7-1.redhat_00003.1.el7ea | 0:2.12.7-1.redhat_00003.1.el7ea |
| redhat/candlepin | <0:4.1.19-1.el7 | 0:4.1.19-1.el7 |
| redhat/foreman | <0:3.1.1.26-1.el7 | 0:3.1.1.26-1.el7 |
| redhat/satellite | <0:6.11.5-1.el7 | 0:6.11.5-1.el7 |
| redhat/satellite-clone | <0:3.1.1-2.el7 | 0:3.1.1-2.el7 |
| redhat/tfm-pulpcore-python-naya | <0:1.1.1-1.1.el7 | 0:1.1.1-1.1.el7 |
| redhat/tfm-pulpcore-python-pulp-container | <0:2.9.9-1.el7 | 0:2.9.9-1.el7 |
| redhat/tfm-pulpcore-python-pulpcore | <0:3.16.15-1.el7 | 0:3.16.15-1.el7 |
| redhat/tfm-rubygem-actioncable | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-actionmailbox | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-actionmailer | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-actionpack | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-actiontext | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-actionview | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-activejob | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-activemodel | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-activerecord | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-activestorage | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-activesupport | <0:6.0.6-1.el7 | 0:6.0.6-1.el7 |
| redhat/tfm-rubygem-katello | <0:4.3.0.52-1.el7 | 0:4.3.0.52-1.el7 |
| redhat/tfm-rubygem-rails | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/tfm-rubygem-railties | <0:6.0.6-2.el7 | 0:6.0.6-2.el7 |
| redhat/candlepin | <0:4.1.19-1.el8 | 0:4.1.19-1.el8 |
| redhat/foreman | <0:3.1.1.26-1.el8 | 0:3.1.1.26-1.el8 |
| redhat/python-naya | <0:1.1.1-1.1.el8 | 0:1.1.1-1.1.el8 |
| redhat/python-pulp-container | <0:2.9.9-1.el8 | 0:2.9.9-1.el8 |
| redhat/python-pulpcore | <0:3.16.15-1.el8 | 0:3.16.15-1.el8 |
| redhat/rubygem-actioncable | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-actionmailbox | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-actionmailer | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-actionpack | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-actiontext | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-actionview | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-activejob | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-activemodel | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-activerecord | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-activestorage | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-activesupport | <0:6.0.6-1.el8 | 0:6.0.6-1.el8 |
| redhat/rubygem-katello | <0:4.3.0.52-1.el8 | 0:4.3.0.52-1.el8 |
| redhat/rubygem-rails | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/rubygem-railties | <0:6.0.6-2.el8 | 0:6.0.6-2.el8 |
| redhat/satellite | <0:6.11.5-1.el8 | 0:6.11.5-1.el8 |
| redhat/satellite-clone | <0:3.1.1-2.el8 | 0:3.1.1-2.el8 |
| redhat/candlepin | <0:4.1.18-1.el8 | 0:4.1.18-1.el8 |
| redhat/foreman | <0:3.3.0.18-1.el8 | 0:3.3.0.18-1.el8 |
| redhat/python-pulp-container | <0:2.10.10-1.el8 | 0:2.10.10-1.el8 |
| redhat/python-pulpcore | <0:3.18.11-1.el8 | 0:3.18.11-1.el8 |
| redhat/python-pulp-rpm | <0:3.18.9-1.el8 | 0:3.18.9-1.el8 |
| redhat/rubygem-katello | <0:4.5.0.22-1.el8 | 0:4.5.0.22-1.el8 |
| redhat/satellite | <0:6.12.1-1.el8 | 0:6.12.1-1.el8 |
| redhat/satellite-clone | <0:3.2.0-2.el8 | 0:3.2.0-2.el8 |
| redhat/candlepin | <0:4.2.13-1.el8 | 0:4.2.13-1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el7 | 0:18.0.6-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el8 | 0:18.0.6-1.redhat_00001.1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el9 | 0:18.0.6-1.redhat_00001.1.el9 |
| debian/jackson-databind | <=2.9.8-3+deb10u3 | 2.9.8-3+deb10u5 2.12.1-1+deb11u1 2.14.0-1 |
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.13.0<2.13.4.2 | 2.13.4.2 |
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.4.0-rc1<2.12.7.1 | 2.12.7.1 |
| FasterXML jackson-databind | <2.12.7.1 | |
| FasterXML jackson-databind | >=2.13.0<2.13.4.1 | |
| Red Hat Quarkus | <2.13.3 | |
| Debian GNU/Linux | =10.0 | |
| Debian GNU/Linux | =11.0 | |
| NetApp OnCommand Workflow Automation | ||
| IBM Data Virtualization on Cloud Pak for Data | <=3.0 | |
| IBM Watson Query on Cloud Pak for Data | <=2.2 | |
| IBM Watson Query on Cloud Pak for Data | <=2.1 | |
| IBM Watson Query on Cloud Pak for Data | <=2.0 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.8 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-42003 https://nvd.nist.gov/vuln/detail/CVE-2022-42003
- https://bugzilla.redhat.com/show_bug.cgi?id=2135244
- https://access.redhat.com/errata/RHSA-2022:7435
- https://access.redhat.com/errata/RHSA-2023:0471
- https://access.redhat.com/errata/RHSA-2023:3663
- https://access.redhat.com/errata/RHSA-2023:1064
- https://access.redhat.com/errata/RHSA-2022:8889
- https://access.redhat.com/errata/RHSA-2022:8876
- https://access.redhat.com/errata/RHSA-2022:9023
- https://access.redhat.com/errata/RHSA-2023:1006
- https://access.redhat.com/errata/RHSA-2023:0713
- https://access.redhat.com/errata/RHSA-2023:3641
- https://access.redhat.com/errata/RHSA-2023:2100
- https://access.redhat.com/errata/RHSA-2023:0469
- https://access.redhat.com/errata/RHSA-2023:0189
- https://access.redhat.com/errata/RHSA-2023:3223
- https://access.redhat.com/errata/RHSA-2023:0556
- https://access.redhat.com/errata/RHSA-2023:0553
- https://access.redhat.com/errata/RHSA-2023:0554
- https://access.redhat.com/errata/RHSA-2023:0552
- https://access.redhat.com/errata/RHSA-2023:1151
- https://access.redhat.com/errata/RHSA-2023:0261
- https://access.redhat.com/errata/RHSA-2023:2097
- https://access.redhat.com/errata/RHSA-2023:1049
- https://access.redhat.com/errata/RHSA-2023:1043
- https://access.redhat.com/errata/RHSA-2023:1044
- https://access.redhat.com/errata/RHSA-2023:1045
- https://access.redhat.com/errata/RHSA-2023:1047
- https://access.redhat.com/errata/RHSA-2022:8781
- https://access.redhat.com/errata/RHSA-2023:0264
- https://access.redhat.com/errata/RHSA-2022:9032
- https://access.redhat.com/security/cve/cve-2022-42003
- https://github.com/FasterXML/jackson-databind/issues/3590
- https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020
- https://security-tracker.debian.org/tracker/CVE-2022-42003
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2135251
- https://access.redhat.com/errata/RHSA-2023:2135
- https://security.gentoo.org/glsa/202210-21
- https://www.debian.org/security/2022/dsa-5283
- https://security.netapp.com/advisory/ntap-20221124-0004/
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-42003
- https://github.com/FasterXML/jackson-databind/blob/2.13/release-notes/VERSION-2.x
- https://github.com/FasterXML/jackson-databind/issues/3627
- https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea
- https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc
- https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1
- https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45
- https://github.com/FasterXML/jackson-databind/commits/jackson-databind-2.4.0-rc1?after=75b97b8519f0d50c62523ad85170d80a197a2c86+174&branch=jackson-databind-2.4.0-rc1&qualified_name=refs%2Ftags%2Fjackson-databind-2.4.0-rc1
- https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.13.4.1...jackson-databind-2.13.4.2
- https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288
- https://security.netapp.com/advisory/ntap-20221124-0004
- https://github.com/advisories/GHSA-jjjh-jjxp-wpff (Advisory)
- https://www.ibm.com/support/pages/node/7183851 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
- RHSA-2022:7435
- RHSA-2023:0471
- RHSA-2023:3663
- RHSA-2023:1064
- RHSA-2022:8889
- RHSA-2022:8876
- RHSA-2022:9023
- RHSA-2023:1006
- RHSA-2023:0713
- RHSA-2023:3641
- RHSA-2023:2100
- RHSA-2023:0469
- RHSA-2023:0189
- RHSA-2023:3223
- RHSA-2023:0556
- RHSA-2023:0553
- RHSA-2023:0554
- RHSA-2023:0552
- RHSA-2023:1151
- RHSA-2023:0261
- RHSA-2023:2097
- RHSA-2023:1049
- RHSA-2023:1043
- RHSA-2023:1044
- RHSA-2023:1045
- RHSA-2023:1047
- RHSA-2022:8781
- RHSA-2023:0264
- RHSA-2022:9032
- IBM-7183851
Frequently Asked Questions
What is the severity of CVE-2022-42003?
CVE-2022-42003 has been assigned a medium severity rating due to its potential for resource exhaustion.
How do I fix CVE-2022-42003?
To fix CVE-2022-42003, update to the recommended patched versions of the affected packages.
Which versions are affected by CVE-2022-42003?
CVE-2022-42003 affects various versions of FasterXML jackson-databind and other dependent packages up until certain versions.
What causes CVE-2022-42003?
CVE-2022-42003 is caused by unchecked primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Is there a workaround for CVE-2022-42003?
Disabling the UNWRAP_SINGLE_VALUE_ARRAYS feature in your application can serve as a temporary workaround for CVE-2022-42003.
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-42003
- agent/weakness
- agent/event
- agent/author
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jjjh-jjxp-wpff
- agent/software-canonical-lookup
- collector/github-advisory
- agent/description
- agent/trending
- agent/source
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- package-manager/redhat
- package-manager/debian
- package-manager/maven
- vendor/fasterxml
- canonical/fasterxml jackson-databind
- version/fasterxml jackson-databind/2.13.0
- vendor/quarkus
- canonical/red hat quarkus
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/10.0
- version/debian gnu/linux/11.0
- vendor/netapp
- canonical/netapp oncommand workflow automation
- vendor/ibm
- canonical/ibm data virtualization on cloud pak for data
- version/ibm data virtualization on cloud pak for data/3.0
- canonical/ibm watson query on cloud pak for data
- version/ibm watson query on cloud pak for data/2.2
- version/ibm watson query on cloud pak for data/2.1
- version/ibm watson query on cloud pak for data/2.0
- version/ibm data virtualization on cloud pak for data/1.8
- version/ibm data virtualization on cloud pak for data/1.7