The Library API in buger jsonparser through 2019-12-04 allows attackers to cause a denial of service (infinite loop) via a Delete call. Reference: https://github.com/buger/jsonparser/issues/188
Created golang-github-buger-jsonparser tracking bugs for this issue: Affects: fedora-all [bug 1817734]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
This vulnerability can be exploited to cause an infinite loop in jsonparser if it is used to parse json data from an untrusted source.
Upstream fix: https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717
The following OpenShift 4 containers have indicators to github.com/buger/jsonparser: - openshift4/file-integrity-rhel8-operator - openshift4/cnf-tests-rhel8 - openshift4/ose-container-networking-plugins-rhel8 However, the buger/jsonparser is a transient dependency from containernetworking/plugins: $ go mod graph | grep buger/jsonparser github.com/containernetworking/plugins.2 github.com/buger/jsonparser.0-20180808090653-f4dd9f5a6b44 The repo github.com/containernetworking/plugins only includes github.com/buger when compiling on Windows: :~/plugins$ go list -deps ./... | grep buger/jsonparser :~/plugins$ :~/plugins$ GOOS=windows go list -deps ./... | grep buger/jsonparser github.com/buger/jsonparser The associated containers only build on linux and are not affected. That and the go compiler does not include containernetworking/plugins in the build. It has been left on the affects however to prevent confusion as it can appear in the go.sum file.
External References: https://github.com/buger/jsonparser/issues/188
Statement: The OpenShift Container Platform 4 (OCP) containers file-integrity-rhel8-operator, cnf-tests-rhel8 and ose-container-networking-plugins-rhel8 do have some references to github.com/buger/jsonparser, mainly in their go.sum files. However, it is not included in the final go build. It is also a dependency of the dependency github.com/containernetworking/plugins which only includes buger/jsonparse when compiling for Windows, which these containers do not. Hence the associated containers have been marked not affected. OpenShift Virtualization cnv-containernetworking-plugins container depends on github.com/buger/jsonparser only when built for Windows, which it is not, thus it is not affected. Other OpenshiftVirtualization containers (virt-api, virt-controller, virt-handler, virt-launcher, virt-operator, kubernetes-nmstate-handler, ovs-cni-marker, ovs-cni-plugin, kubemacpool, hyperconverged-cluster-operator) have references to github.com/buger/jsonparser, however it is not included in the final go build.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10675