Headline
GHSA-264p-99wq-f4j6: Ion Java StackOverflow vulnerability
Impact
A potential denial-of-service issue exists in ion-java for applications that use ion-java to:
- Deserialize Ion text encoded data, or
- Deserialize Ion text or binary encoded data into the
IonValuemodel and then invoke certainIonValuemethods on that in-memory representation.
An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library.
Impacted versions: <1.10.5
Patches
The patch is included in ion-java >= 1.10.5.
Workarounds
Do not load data which originated from an untrusted source or that could have been tampered with. Only load data you trust.
If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] https://aws.amazon.com/security/vulnerability-reporting
Impact
A potential denial-of-service issue exists in ion-java for applications that use ion-java to:
- Deserialize Ion text encoded data, or
- Deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation.
An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library.
Impacted versions: <1.10.5
Patches
The patch is included in ion-java >= 1.10.5.
Workarounds
Do not load data which originated from an untrusted source or that could have been tampered with. Only load data you trust.
If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] https://aws.amazon.com/security/vulnerability-reporting
References
- GHSA-264p-99wq-f4j6
Related news
Red Hat Security Advisory 2024-7442-03 - A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Issues addressed include an information leakage vulnerability.
Red Hat Security Advisory 2024-7441-03 - A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include an information leakage vulnerability.