Our security scanner reports the following vulnerability:
PRISMA-2021-0213. jackson-databind in certain versions from 2.10 is vulnerable to DoS attack, only when using JDK serialization to serialize, deserialize JsonNode values. An attacker can provide a 4-byte length payload, with the value of Integer.MAX_VALUE, that will cause the decoder to allocate a large buffer leading to out of heap memory - especially so if the attacker manages to inject multiple broken messages.
Library: search-guard-7/jackson-databind-2.11.2.jar
Details: https://github.com/FasterXML/jackson-databind/issues/3328
Fixed in 2.14, 2.13.1, 2.12.6
Could you please update this library to a version with this vulnerability fixed?
First of all: Search Guard does not use the jackson-databind library in a way that would use the vulnerable functionality of jackson-databind. Thus, Search Guard is not affected by this.
Just updating the library is unfortunately not easily possible, as Elasticsearch itself is providing a quite old version of the jackson-core library. In order to use jackson-databind, Search Guard has to use a version that is compatible with the provided jackson-core. Thus, the available version space is quite limited.
We are right now working on removing jackson-databind alltogehter. However, that is a larger undertaking that will not be possible for a minore release. We hope that we will finish this for the next major release of Search Guard.