2221135 – (CVE-2023-33008) CVE-2023-33008 apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale

Bug 2221135 (CVE-2023-33008) - CVE-2023-33008 apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale

Summary: CVE-2023-33008 apache-johnzon: Prevent inefficient internal conversion from B...

Keywords:
Status:	NEW
Alias:	CVE-2023-33008
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2221165
TreeView+	depends on / blocked

Reported:	2023-07-07 09:11 UTC by TEJ RATHI
Modified:	2024-02-01 03:42 UTC (History)
CC List:	59 users (show)
Fixed In Version:	johnzon 1.2.21
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Apache Johnzon. This issue could allow an attacker to craft a specific JSON input that Johnzon will deserialize into a BigDecimal, which Johnzon may use to start converting large numbers, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:5441	None	None	None	2023-10-04 11:59:31 UTC
Red Hat Product Errata	RHSA-2023:5491	None	None	None	2023-10-05 22:37:37 UTC
Red Hat Product Errata	RHSA-2023:6114	None	None	None	2023-10-25 14:53:36 UTC

Description TEJ RATHI 2023-07-07 09:11:34 UTC

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.

A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. 

Affected versions: Apache Johnzon through 1.2.20

References:

https://johnzon.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-33008
https://issues.apache.org/jira/browse/JOHNZON-397

Comment 3 errata-xmlrpc 2023-10-04 11:59:28 UTC

This issue has been addressed in the following products:

  RHINT Camel-Springboot 4.0.0

Via RHSA-2023:5441 https://access.redhat.com/errata/RHSA-2023:5441

Comment 4 errata-xmlrpc 2023-10-05 22:37:33 UTC

This issue has been addressed in the following products:

  AMQ Broker 7.11.2

Via RHSA-2023:5491 https://access.redhat.com/errata/RHSA-2023:5491

Comment 5 errata-xmlrpc 2023-10-25 14:53:32 UTC

This issue has been addressed in the following products:

  Spring Boot 2.7.17

Via RHSA-2023:6114 https://access.redhat.com/errata/RHSA-2023:6114

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alampare
alazarot
anstephe
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
brian.stansberry
cdewolf
chazlett
cmoulliard
darran.lofthouse
dffrench
dhanak
dkreling
dosoudil
emingora
fjuma
fmongiar
gjospin
gmalinko
gzaronik
ibek
ikanello
ivassile
iweiss
janstey
jnethert
jpoth
jrokos
jross
kverlaen
lbacciot
lgao
lthon
mnovotny
mosmerov
msochure
mstefank
msvehla
ngough
nwallace
pdelbell
peholase
pgallagh
pjindal
pmackay
rgodfrey
rguimara
rkieley
rruss
rstancel
smaestri
tcunning
tom.jenkinson
yfang