2304311 – (CVE-2024-21634) CVE-2024-21634 ion-java: ion-java: Ion Java StackOverflow vulnerability

Bug 2304311 (CVE-2024-21634) - CVE-2024-21634 ion-java: ion-java: Ion Java StackOverflow vulnerability

Summary: CVE-2024-21634 ion-java: ion-java: Ion Java StackOverflow vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2024-21634
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-08-13 12:49 UTC by Patrick Del Bello
Modified:	2025-03-17 23:45 UTC (History)
CC List:	67 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:7441	0	None	None	None	2024-10-01 07:52:53 UTC
Red Hat Product Errata	RHSA-2024:7442	0	None	None	None	2024-10-01 07:54:32 UTC

Description Patrick Del Bello 2024-08-13 12:49:01 UTC

Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.

Comment 1 errata-xmlrpc 2024-10-01 07:52:49 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:7441 https://access.redhat.com/errata/RHSA-2024:7441

Comment 2 errata-xmlrpc 2024-10-01 07:54:28 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2024:7442 https://access.redhat.com/errata/RHSA-2024:7442

Note You need to log in before you can comment on or make changes to this bug.

anstephe
arnavarr
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
clement.escoffier
cmiranda
dandread
darran.lofthouse
dkreling
dosoudil
dpalmer
drichtar
fjuma
fmariani
gmalinko
gsmet
hamadhan
istudens
ivassile
iweiss
janstey
jcantril
jkoops
jmartisk
jpoth
kaycoth
kholdawa
lgao
lthon
manderse
mosmerov
msochure
msvehla
mulliken
nwallace
olubyans
pcongius
pdelbell
pdrozd
peholase
pgallagh
pjindal
pmackay
probinso
pskopek
rmartinc
rowaters
rruss
rstancel
rstepani
rsvoboda
sausingh
sbiarozk
sdouglas
smaestri
sthorger
tcunning
tom.jenkinson
tqvarnst
yfang