Bug 2188542 (CVE-2023-1370)

Summary: CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, cmoulliard, darran.lofthouse, dfreiber, dhanak, dkreling, dosoudil, drichtar, ellin, emingora, fjuma, fmongiar, gjospin, gmalinko, hbraun, ibek, ikanello, ivassile, iweiss, janstey, jburrell, jcantril, jnethert, jpavlik, jpechane, jpoth, jrokos, jross, jscholz, kverlaen, lbacciot, lgao, lthon, mnovotny, mokumar, mosmerov, msochure, msvehla, nboldt, nwallace, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, pskopek, rguimara, rkieley, rogbas, rowaters, rrajasek, rruss, rstancel, scorneli, shbose, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, vkumar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: json-smart 2.4.9, json-smart 2.4.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-03 20:36:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2180850    

Description Sandipan Roy 2023-04-21 05:35:36 UTC 
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

https://github.com/advisories/GHSA-493p-pfq6-5258
https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a
https://github.com/netplex/json-smart-v2/commit/e2791ae506a57491bc856b439d706c81e45adcf8
Comment 5 errata-xmlrpc 2023-05-03 14:05:30 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3.P1

Via RHSA-2023:2099 https://access.redhat.com/errata/RHSA-2023:2099
Comment 6 errata-xmlrpc 2023-05-03 14:07:20 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Comment 7 Product Security DevOps Team 2023-05-03 20:36:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1370
Comment 9 errata-xmlrpc 2023-05-17 12:29:40 UTC 
This issue has been addressed in the following products:

  CEQ 2.13.2-2

Via RHSA-2023:3179 https://access.redhat.com/errata/RHSA-2023:3179
Comment 10 errata-xmlrpc 2023-05-17 15:49:38 UTC 
This issue has been addressed in the following products:

  CEQ 2.7.1-1

Via RHSA-2023:3193 https://access.redhat.com/errata/RHSA-2023:3193
Comment 11 errata-xmlrpc 2023-05-18 09:54:41 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.4.0

Via RHSA-2023:3223 https://access.redhat.com/errata/RHSA-2023:3223
Comment 13 errata-xmlrpc 2023-06-07 09:20:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:3362 https://access.redhat.com/errata/RHSA-2023:3362
Comment 14 errata-xmlrpc 2023-06-15 00:15:05 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2023:3610 https://access.redhat.com/errata/RHSA-2023:3610
Comment 15 errata-xmlrpc 2023-06-15 09:01:32 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:3622 https://access.redhat.com/errata/RHSA-2023:3622
Comment 16 errata-xmlrpc 2023-06-15 15:24:17 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3.P2

Via RHSA-2023:3641 https://access.redhat.com/errata/RHSA-2023:3641
Comment 17 errata-xmlrpc 2023-06-19 10:13:15 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663
Comment 18 errata-xmlrpc 2023-06-28 15:59:19 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K-1.10.1

Via RHSA-2023:3906 https://access.redhat.com/errata/RHSA-2023:3906
Comment 20 errata-xmlrpc 2023-06-29 20:08:38 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Comment 22 errata-xmlrpc 2023-12-07 13:42:05 UTC 
This issue has been addressed in the following products:

  AMQ Clients 3.y for RHEL 8
  AMQ Clients 3.y for RHEL 9

Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697