Bug 2221135 (CVE-2023-33008)

Summary: CVE-2023-33008 apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dffrench, dhanak, dkreling, dosoudil, emingora, fjuma, fmongiar, gjospin, gmalinko, gsmet, gzaronik, hamadhan, hbraun, ibek, ikanello, ivassile, iweiss, janstey, jmartisk, jnethert, jpoth, jrokos, jross, kverlaen, lbacciot, lgao, lthon, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, ngough, nwallace, pdelbell, peholase, pgallagh, pjindal, pmackay, probinso, rgodfrey, rguimara, rkieley, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, smaestri, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: johnzon 1.2.21 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Johnzon. This issue could allow an attacker to craft a specific JSON input that Johnzon will deserialize into a BigDecimal, which Johnzon may use to start converting large numbers, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2221165    

Description TEJ RATHI 2023-07-07 09:11:34 UTC 
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.

A malicious attacker can craft up some JSON input that uses large numbers (numbers such asĀ 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. 

Affected versions: Apache Johnzon through 1.2.20

References:

https://johnzon.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-33008
https://issues.apache.org/jira/browse/JOHNZON-397