Описание
Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in ion-java for applications that use ion-java to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library. The patch is included in ion-java 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.
A vulnerability was found in Amazon Ion, an implementation of Ion data notation. Ion-java may be affected by denial of service (DoS) due to issues while deserializing encoded data into IonValue. A maliciously crafted Ion data structure may be processed and cause a StackOverflowError, leaving the application in an unreliable state.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | software.amazon.ion/ion-java | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | software.amazon.ion/ion-java | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | software.amazon.ion/ion-java | Not affected | ||
| Red Hat Build of Keycloak | software.amazon.ion/ion-java | Not affected | ||
| Red Hat build of Quarkus | software.amazon.ion/ion-java | Not affected | ||
| Red Hat Fuse 7 | software.amazon.ion/ion-java | Will not fix | ||
| Red Hat Integration Camel K 1 | software.amazon.ion/ion-java | Not affected | ||
| Red Hat JBoss Data Grid 7 | software.amazon.ion/ion-java | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | ion-java | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | ion-java | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.
EPSS
7.5 High
CVSS3