Jackson Denial of Service and Resource Exhaustion threats

Known Issue

Affecting versions up to 7.2.0.

The following vulnerabilities have been identified in the Jackson libraries v2.13.0 shipped with Tungsten up to 7.2.0:

• CVE-2021-46877
• CVE-2022-42003
• CVE-2022-42004
• CVE-2023-35116
• CVE-2025-52999

These threats do not affect / are not exposed to the client application as the libraries are only used for internal JSON conversions with known data, generated by Tungsten, but might be detected by security scanners.

The cure is to replace the 3 jars named jackson* with the 2.20 and 2.20.1 ones, since they are backwards compatible.

Updated libraries can be downloaded from the following links:

• jackson-core
• jackson-annotations
• jackson-databind

After obtaining the updated files, you should copy them into your software staging directory for your current installed release, and then proceed to issue an update, for example:

shell> cp jackson* /opt/continuent/software/tungsten-clustering-8.0.4-132/cluster-home/lib
shell> cd /opt/continuent/software/tungsten-clustering-8.0.4-132
shell> tools/tpm update --replace-release