Add check in `BeanDeserializer._deserializeFromArray()` to prevent use of deeply nested arrays [CVE-2022-42004]

[cowtowncoder]

Fix included in

• 2.13.4
• 2.12.7.1 micro-patch (jackson-bom 2.12.7.20221012)

---

(note: found by oss-fuzz, see: https://bugs.chromium.org/p/oss-fuzz/issues)

Currently feature DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS is supported by most types, and deserializers tend to implement support using recursion, effectively allowing multiple nested layers of JSON Arrays to be unwrapped.
This is not a feature to support but just an implementation detail; ideally we should only allow a single JSON Array to wrap a value.

I think I have removed ability for deeper nesting from some other types so there may be some prior art.

[henryrneh]

Hello dear @cowtowncoder,

I am Henry from Code Intelligence. First of all thank you for your quick fixes of this issue!

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490

Is this issue regarded as a security issue? If yes, we are thinking about applying CVE for it, so the community knows about it and will update to the latest version of jackson-databind.

Thank you for your fixes and support for OSS-Fuzz!

Best regards,
Henry

[cowtowncoder]

@henryrneh I think it is reasonable to file a CVE for this, although one caveat is that it is only applicable if users enable specific DeserializationFeature and not with vanilla (default) setting of ObjectMapper. So that should probably at least be reflect in applicability -- I do not have any statistics of how common enabling this feature is but it probably is minority of usage.

[henryrneh]

@cowtowncoder thanks for your reply and info! We will communicate the information and handle the application to Google. Many thanks!

[DavidKorczynski]

This issue was found by a fuzzer written by the Ada Logics team and is part of an ongoing security assessment. @henryrneh can you please ensure the issues you report are found by the fuzzers written by your team (https://github.com/google/oss-fuzz/blob/master/projects/jackson-core/JsonFuzzer.java and https://github.com/google/oss-fuzz/blob/master/projects/jackson-databind/ObjectReaderFuzzer.java) then we'll take care of those from our fuzzers.

[henryrneh]

I already canceled the application. We will do our best to try not to apply CVEs for fuzz targets written by AdaLogics, however we will need some assitance or notification by you to know who wrote which fuzz target, because OSS-Fuzz is not designed to support this, maybe you can use some special prefix in the fuzz target name so it's more obvious for us so we can filter it out?