SYNC-2022-1003 - Denial of Service (DoS)

Severity: Low2022-03-10

Security Advisories

Abstract

The jackson-databind package is vulnerable to a Denial of Service (DoS) attack. The readExternal() method in the NodeSerialization class fails to restrict allocation when JsonNode objects are serialized/deserialized by the JDK.

The Oxygen XML products incorporate jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Author v24.0 and older Low Oxygen XML Author 24.1 build 2022030807
Oxygen XML Developer v24.0 and older Low Oxygen XML Developer 24.1 build 2022030807
Oxygen XML Editor v24.0 and older Low Oxygen XML Editor 24.1 build 2022030807
Oxygen Content Fusion v4.1.5 and older Low N/A
Oxygen Web Author v24.0 and older Low Oxygen Web Author 24.1 build 2022030809
Oxygen Feedback v2.0.1 and older Low Oxygen Feedback 2.0.2 build 2022021009
Oxygen Publishing Engine v24.0 and older Low Oxygen Publishing Engine 24.1 build 2022030800
Oxygen PDF Chemistry v24.0 and older Low Oxygen PDF Chemistry 24.1 build 2022030907
Oxygen License Server v24.0 and older Low Oxygen License Server 24.1 build 2022030712

Mitigation

None

Detail

SYNC-2022-1003

Severity: High

CVSS Score: 7.5

The jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in SYNC-2022-1003 vulnerability description. However, this library is not used to serialize/deserialize JsonNode objects from untrusted sources. For that reason, we have rated the severity level for our products as low.

List of Security Advisories