CVE-2022-42004: 
Java vulnerability analysis and mitigation

CVE-2022-42004 affects FasterXML jackson-databind versions before 2.13.4. The vulnerability allows resource exhaustion to occur due to a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. The vulnerability was discovered in October 2022 and affects applications only with certain customized choices for deserialization (CVE Details, Red Hat CVE).

The vulnerability stems from a missing check in the BeanDeserializer.deserializeFromArray method that would prevent the use of deeply nested arrays. When the UNWRAPSINGLEVALUEARRAYS feature is enabled, the implementation allows multiple nested layers of JSON Arrays to be unwrapped through recursion, which was not an intended feature but rather an implementation detail. The issue was discovered through OSS-Fuzz testing (GitHub Issue).

Successful exploitation of this vulnerability could lead to Denial of Service (DoS) through resource exhaustion. The vulnerability is particularly concerning when the application uses certain customized deserialization choices (NetApp Advisory).

The vulnerability has been fixed in jackson-databind version 2.13.4. The fix includes adding a check to prevent deeply nested arrays, allowing only a single JSON Array to wrap a value. Users are recommended to upgrade to version 2.13.4 or later to address this vulnerability (GitHub Commit).

Multiple organizations and Linux distributions have released security advisories and patches for this vulnerability, including Debian, Red Hat, and NetApp. Debian released security advisory DSA-5283-1, and Gentoo released GLSA 202210-21 to address this vulnerability among others (Debian Security, Gentoo Security).