Bug 2080850 (CVE-2022-25647) - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson
Summary: CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-25647
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2080853
TreeView+ depends on / blocked
 
Reported: 2022-05-02 07:18 UTC by Avinash Hanwate
Modified: 2024-02-06 05:00 UTC (History)
89 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in gson, which is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes. This issue may lead to availability attacks.
Clone Of:
Environment:
Last Closed: 2022-06-09 22:49:45 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:4985 0 None Closed RHEL 8.5 | clutter_actor_get_parent: assertion 'CLUTTER_IS_ACTOR (self)' failed 2022-06-20 13:55:50 UTC
Red Hat Product Errata RHSA-2022:5029 0 None None None 2022-06-23 10:42:09 UTC
Red Hat Product Errata RHSA-2022:5892 0 None None None 2022-08-03 15:55:59 UTC
Red Hat Product Errata RHSA-2022:5893 0 None None None 2022-08-03 15:50:05 UTC
Red Hat Product Errata RHSA-2022:5894 0 None None None 2022-08-03 16:01:14 UTC
Red Hat Product Errata RHSA-2022:5903 0 None None None 2022-08-04 04:48:32 UTC
Red Hat Product Errata RHSA-2022:5928 0 None None None 2022-08-08 19:44:17 UTC
Red Hat Product Errata RHSA-2022:6819 0 None None None 2022-10-05 14:30:38 UTC
Red Hat Product Errata RHSA-2022:6835 0 None None None 2022-10-06 12:28:15 UTC

Description Avinash Hanwate 2022-05-02 07:18:09 UTC 
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

https://github.com/google/gson/pull/1991
https://github.com/google/gson/pull/1991/commits
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
Comment 5 errata-xmlrpc 2022-06-09 18:56:46 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2022:4985 https://access.redhat.com/errata/RHSA-2022:4985
Comment 6 Product Security DevOps Team 2022-06-09 22:49:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-25647
Comment 7 errata-xmlrpc 2022-06-23 10:42:05 UTC 
This issue has been addressed in the following products:

  Red Hat build of Eclipse Vert.x 4.2.7

Via RHSA-2022:5029 https://access.redhat.com/errata/RHSA-2022:5029
Comment 8 errata-xmlrpc 2022-08-03 15:50:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:5893 https://access.redhat.com/errata/RHSA-2022:5893
Comment 9 errata-xmlrpc 2022-08-03 15:55:54 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:5892 https://access.redhat.com/errata/RHSA-2022:5892
Comment 10 errata-xmlrpc 2022-08-03 16:01:09 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2022:5894 https://access.redhat.com/errata/RHSA-2022:5894
Comment 11 errata-xmlrpc 2022-08-04 04:48:27 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.0 async

Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903
Comment 12 errata-xmlrpc 2022-08-08 19:44:14 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2022:5928 https://access.redhat.com/errata/RHSA-2022:5928
Comment 13 errata-xmlrpc 2022-10-05 14:30:33 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.2.0

Via RHSA-2022:6819 https://access.redhat.com/errata/RHSA-2022:6819
Comment 14 errata-xmlrpc 2022-10-06 12:28:10 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835
Note You need to log in before you can comment on or make changes to this bug.