Bug 2254594 (CVE-2023-4043)

Summary: CVE-2023-4043 parsson: Denial of Service due to large number parsing
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, aileenc, anstephe, aschwart, asoldano, avibelli, bbaranow, bgeorges, bihu, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, clement.escoffier, cmah, dandread, darran.lofthouse, dkreling, dosoudil, drichtar, eaguilar, ebaron, eric.wittmann, fjuma, fmariani, fmongiar, gmalinko, gsmet, istudens, ivassile, iweiss, janstey, jkang, jmartisk, jnethert, jolong, jpallich, jpoth, lgao, lthon, manderse, max.andersen, mosmerov, mposolda, msochure, mstefank, msvehla, mulliken, nipatil, nwallace, olubyans, owatkins, pajung, pantinor, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rkubis, rowaters, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, sfroberg, smaestri, ssilvert, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, vmuzikar, wfink, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: parsson 1.1.4, parsson 1.0.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Eclipse Parsson library when processing untrusted source content. This issue may cause a Denial of Service (DoS) due to built-in support for parsing numbers with a large scale, and some cases where processing a large number may take much more time than expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2254591    

Description Patrick Del Bello 2023-12-14 18:07:42 UTC 
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.

To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.

https://github.com/eclipse-ee4j/parsson/pull/100
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13
Comment 6 errata-xmlrpc 2024-01-25 18:10:42 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:0530 https://access.redhat.com/errata/RHSA-2024:0530
Comment 7 errata-xmlrpc 2024-02-12 15:24:43 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.10

Via RHSA-2024:0722 https://access.redhat.com/errata/RHSA-2024:0722
Comment 8 errata-xmlrpc 2024-02-12 16:02:16 UTC 
This issue has been addressed in the following products:

  RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)

Via RHSA-2024:0789 https://access.redhat.com/errata/RHSA-2024:0789
Comment 9 errata-xmlrpc 2024-02-12 18:01:14 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 4.0.3

Via RHSA-2024:0793 https://access.redhat.com/errata/RHSA-2024:0793
Comment 10 errata-xmlrpc 2024-03-06 15:29:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2024:1193 https://access.redhat.com/errata/RHSA-2024:1193
Comment 11 errata-xmlrpc 2024-03-06 15:30:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:1192 https://access.redhat.com/errata/RHSA-2024:1192
Comment 12 errata-xmlrpc 2024-03-06 15:38:25 UTC 
This issue has been addressed in the following products:

  EAP 8.0.1

Via RHSA-2024:1194 https://access.redhat.com/errata/RHSA-2024:1194