Bug 2004547 (CVE-2022-3433) - CVE-2022-3433 ghc-aeson: untrusted JSON input leads to hash collisions and DoS
Summary: CVE-2022-3433 ghc-aeson: untrusted JSON input leads to hash collisions and DoS
Keywords:
Status: NEW
Alias: CVE-2022-3433
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
: 2130280 (view as bug list)
Depends On: 2004548 2004549 2133096
Blocks: 2004550
TreeView+ depends on / blocked
 
Reported: 2021-09-15 14:30 UTC by Marian Rehak
Modified: 2023-09-14 09:54 UTC (History)
3 users (show)

Fixed In Version: aeson 2.0.1.0
Doc Type: If docs needed, set a value
Doc Text:
The aeson library is not safe to use to consume untrusted JSON input. A remote user could abuse this flaw to produce a hash collision in the underlying unordered-containers library by sending specially crafted JSON data, resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2021-10-05 12:21:17 UTC
Embargoed:


Attachments (Terms of Use)

Description Marian Rehak 2021-09-15 14:30:47 UTC
The aeson library is not safe to use to consume untrusted input, like the JSON values that a web server might parse, this allows DoS.

External Reference:

https://cs-syd.eu/posts/2021-09-11-json-vulnerability

Comment 1 Marian Rehak 2021-09-15 14:31:05 UTC
Created ghc-aeson tracking bugs for this issue:

Affects: epel-7 [bug 2004549]
Affects: fedora-all [bug 2004548]

Comment 3 Guilherme de Almeida Suckevicz 2022-09-27 17:40:51 UTC
*** Bug 2130280 has been marked as a duplicate of this bug. ***

Comment 5 Fraser Tweedale 2022-09-28 09:47:01 UTC
I disagree - strongly - with the assessment that it is not worthy of a CVE assignment.

This issue is not about the unordered-containers library.  This issue is with aeson,
the most widely used JSON library in the Haskell ecosystem.  aeson prior to v2.0 used
HashMap (from unordered-containers) unconditionally, making it vulnerable to hash flooding.
Any service or program that used aeson < 2.0 and handled untrusted input could be
vulnerable to hash flooding, without explicit countermeasures such as
input size limits, rate limits, etc.

Hash flooding / HashDOS vulnerabilities in data libraries are usually assigned CVEs.
Search the database for "hash flood", "hashdos", "hash collision", etc.  Please assign
a CVE for this one too.

Comment 7 Jens Petersen 2022-09-28 12:57:14 UTC
I think CVE-2021-41119 is this issue, right?

Comment 8 Fraser Tweedale 2022-09-29 04:04:53 UTC
Well, yes and no.  That CVE is specifically for wire-server, which was vulnerable because
it uses aeson.

I would expect a CVE / advisory to be filed against the aeson library itself.

Comment 9 Fraser Tweedale 2022-10-05 23:33:10 UTC
Reopening this ticket.  I feel that the decision not to assign a CVE for the hash flood vulnerability
within aeson itself (versions < 2.0) is incorrect.

Comment 10 Mauro Matteo Cascella 2022-10-07 20:31:42 UTC
Thanks for your feedback. This issue was assigned CVE-2022-3433.


Note You need to log in before you can comment on or make changes to this bug.