Bug 2182788 (CVE-2023-1436) - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
Summary: CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-1436
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2182793 2182958 2182959
Blocks: 2180848
TreeView+ depends on / blocked
 
Reported: 2023-03-29 15:27 UTC by Patrick Del Bello
Modified: 2024-02-28 18:14 UTC (History)
88 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.
Clone Of:
Environment:
Last Closed: 2023-05-03 20:34:23 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2100 0 None None None 2023-05-03 14:07:21 UTC
Red Hat Product Errata RHSA-2023:3622 0 None None None 2023-06-15 09:01:35 UTC
Red Hat Product Errata RHSA-2023:3641 0 None None None 2023-06-15 15:24:22 UTC
Red Hat Product Errata RHSA-2023:3663 0 None None None 2023-06-19 10:13:18 UTC
Red Hat Product Errata RHSA-2023:3667 0 None None None 2023-06-19 16:32:41 UTC
Red Hat Product Errata RHSA-2023:3809 0 None None None 2023-06-29 11:09:58 UTC
Red Hat Product Errata RHSA-2023:4505 0 None None None 2023-08-07 15:15:00 UTC
Red Hat Product Errata RHSA-2023:4506 0 None None None 2023-08-07 15:15:38 UTC
Red Hat Product Errata RHSA-2023:4507 0 None None None 2023-08-07 15:16:43 UTC
Red Hat Product Errata RHSA-2023:4509 0 None None None 2023-08-07 15:02:29 UTC
Red Hat Product Errata RHSA-2023:4918 0 None None None 2023-08-31 13:25:24 UTC
Red Hat Product Errata RHSA-2023:4919 0 None None None 2023-08-31 13:25:17 UTC
Red Hat Product Errata RHSA-2023:4920 0 None None None 2023-08-31 13:26:13 UTC
Red Hat Product Errata RHSA-2023:4921 0 None None None 2023-08-31 13:25:45 UTC
Red Hat Product Errata RHSA-2023:4924 0 None None None 2023-08-31 13:29:26 UTC
Red Hat Product Errata RHSA-2023:7670 0 None None None 2023-12-06 13:16:48 UTC
Red Hat Product Errata RHSA-2024:1027 0 None None None 2024-02-28 18:14:00 UTC

Description Patrick Del Bello 2023-03-29 15:27:21 UTC 
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/
Comment 1 Patrick Del Bello 2023-03-29 15:36:18 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2182793]
Comment 7 errata-xmlrpc 2023-05-03 14:07:17 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Comment 8 Product Security DevOps Team 2023-05-03 20:34:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1436
Comment 9 errata-xmlrpc 2023-06-15 09:01:30 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:3622 https://access.redhat.com/errata/RHSA-2023:3622
Comment 10 errata-xmlrpc 2023-06-15 15:24:17 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3.P2

Via RHSA-2023:3641 https://access.redhat.com/errata/RHSA-2023:3641
Comment 11 errata-xmlrpc 2023-06-19 10:13:13 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663
Comment 12 errata-xmlrpc 2023-06-19 16:32:37 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.13.3

Via RHSA-2023:3667 https://access.redhat.com/errata/RHSA-2023:3667
Comment 14 errata-xmlrpc 2023-06-29 11:09:54 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.8

Via RHSA-2023:3809 https://access.redhat.com/errata/RHSA-2023:3809
Comment 15 errata-xmlrpc 2023-08-07 15:02:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2023:4509 https://access.redhat.com/errata/RHSA-2023:4509
Comment 16 errata-xmlrpc 2023-08-07 15:14:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:4505 https://access.redhat.com/errata/RHSA-2023:4505
Comment 17 errata-xmlrpc 2023-08-07 15:15:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:4506 https://access.redhat.com/errata/RHSA-2023:4506
Comment 18 errata-xmlrpc 2023-08-07 15:16:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:4507 https://access.redhat.com/errata/RHSA-2023:4507
Comment 19 errata-xmlrpc 2023-08-31 13:25:11 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:4919 https://access.redhat.com/errata/RHSA-2023:4919
Comment 20 errata-xmlrpc 2023-08-31 13:25:17 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:4918 https://access.redhat.com/errata/RHSA-2023:4918
Comment 21 errata-xmlrpc 2023-08-31 13:25:40 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:4920 https://access.redhat.com/errata/RHSA-2023:4920
Comment 22 errata-xmlrpc 2023-08-31 13:25:40 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:4921 https://access.redhat.com/errata/RHSA-2023:4921
Comment 23 errata-xmlrpc 2023-08-31 13:29:22 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6.5

Via RHSA-2023:4924 https://access.redhat.com/errata/RHSA-2023:4924
Comment 24 errata-xmlrpc 2023-12-06 13:16:44 UTC 
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2023:7670 https://access.redhat.com/errata/RHSA-2023:7670
Comment 25 errata-xmlrpc 2024-02-28 18:13:56 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027
Note You need to log in before you can comment on or make changes to this bug.