Bug 2254594 (CVE-2023-4043) - CVE-2023-4043 parsson: Denial of Service due to large number parsing
Summary: CVE-2023-4043 parsson: Denial of Service due to large number parsing
Keywords:
Status: NEW
Alias: CVE-2023-4043
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2254591
TreeView+ depends on / blocked
 
Reported: 2023-12-14 18:07 UTC by Patrick Del Bello
Modified: 2024-07-20 08:28 UTC (History)
70 users (show)

Fixed In Version: parsson 1.1.4, parsson 1.0.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Eclipse Parsson library when processing untrusted source content. This issue may cause a Denial of Service (DoS) due to built-in support for parsing numbers with a large scale, and some cases where processing a large number may take much more time than expected.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0530 0 None None None 2024-01-25 18:10:47 UTC
Red Hat Product Errata RHSA-2024:0722 0 None None None 2024-02-12 15:24:47 UTC
Red Hat Product Errata RHSA-2024:0789 0 None None None 2024-02-12 16:02:20 UTC
Red Hat Product Errata RHSA-2024:0793 0 None None None 2024-02-12 18:01:18 UTC
Red Hat Product Errata RHSA-2024:1192 0 None None None 2024-03-06 15:30:25 UTC
Red Hat Product Errata RHSA-2024:1193 0 None None None 2024-03-06 15:29:51 UTC
Red Hat Product Errata RHSA-2024:1194 0 None None None 2024-03-06 15:38:29 UTC

Description Patrick Del Bello 2023-12-14 18:07:42 UTC 
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.

To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.

https://github.com/eclipse-ee4j/parsson/pull/100
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13
Comment 6 errata-xmlrpc 2024-01-25 18:10:42 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:0530 https://access.redhat.com/errata/RHSA-2024:0530
Comment 7 errata-xmlrpc 2024-02-12 15:24:43 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.10

Via RHSA-2024:0722 https://access.redhat.com/errata/RHSA-2024:0722
Comment 8 errata-xmlrpc 2024-02-12 16:02:16 UTC 
This issue has been addressed in the following products:

  RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)

Via RHSA-2024:0789 https://access.redhat.com/errata/RHSA-2024:0789
Comment 9 errata-xmlrpc 2024-02-12 18:01:14 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 4.0.3

Via RHSA-2024:0793 https://access.redhat.com/errata/RHSA-2024:0793
Comment 10 errata-xmlrpc 2024-03-06 15:29:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2024:1193 https://access.redhat.com/errata/RHSA-2024:1193
Comment 11 errata-xmlrpc 2024-03-06 15:30:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:1192 https://access.redhat.com/errata/RHSA-2024:1192
Comment 12 errata-xmlrpc 2024-03-06 15:38:25 UTC 
This issue has been addressed in the following products:

  EAP 8.0.1

Via RHSA-2024:1194 https://access.redhat.com/errata/RHSA-2024:1194
Note You need to log in before you can comment on or make changes to this bug.