SYNC-2022-1003 - Denial of Service (DoS)
Severity: Low2022-03-10
Abstract
The jackson-databind package is vulnerable to a Denial of Service (DoS) attack. The readExternal() method in the NodeSerialization class fails to restrict allocation when JsonNode objects are serialized/deserialized by the JDK.
The Oxygen XML products incorporate jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Author v24.0 and older | Low | Oxygen XML Author 24.1 build 2022030807 |
Oxygen XML Developer v24.0 and older | Low | Oxygen XML Developer 24.1 build 2022030807 |
Oxygen XML Editor v24.0 and older | Low | Oxygen XML Editor 24.1 build 2022030807 |
Oxygen Content Fusion v4.1.5 and older | Low | N/A |
Oxygen Web Author v24.0 and older | Low | Oxygen Web Author 24.1 build 2022030809 |
Oxygen Feedback v2.0.1 and older | Low | Oxygen Feedback 2.0.2 build 2022021009 |
Oxygen Publishing Engine v24.0 and older | Low | Oxygen Publishing Engine 24.1 build 2022030800 |
Oxygen PDF Chemistry v24.0 and older | Low | Oxygen PDF Chemistry 24.1 build 2022030907 |
Oxygen License Server v24.0 and older | Low | Oxygen License Server 24.1 build 2022030712 |
Detail
SYNC-2022-1003
Severity: High
CVSS Score: 7.5
The jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in SYNC-2022-1003 vulnerability description. However, this library is not used to serialize/deserialize JsonNode objects from untrusted sources. For that reason, we have rated the severity level for our products as low.