Find, fix and prevent vulnerabilities in your code.

Overview

com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Affected versions of this package are vulnerable to Integer Overflow by allowing remote authenticated attackers to cause a heap-based buffer overflow in serialisation process.

Remediation

Upgrade com.google.protobuf:protobuf-java to version 3.4.0 or higher.

References

• GitHub Issue

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

• Apache Pony Mail
• GitHub Commit

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in which the non-blocking async JSON parser can be made to bypass the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. An attacker can cause excessive memory allocation and CPU exhaustion by submitting JSON documents containing extremely long numeric values through the asynchronous parser interface.

PoC

The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.

package tools.jackson.core.unittest.dos;

import java.nio.charset.StandardCharsets;

import org.junit.jupiter.api.Test;

import tools.jackson.core.*;
import tools.jackson.core.exc.StreamConstraintsException;
import tools.jackson.core.json.JsonFactory;
import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser;

import static org.junit.jupiter.api.Assertions.*;

/**
 * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers
 *
 * Authors: sprabhav7, rohan-repos
 * 
 * maxNumberLength default = 1000 characters (digits).
 * A number with more than 1000 digits should be rejected by any parser.
 *
 * BUG: The async parser never calls resetInt()/resetFloat() which is where
 * validateIntegerLength()/validateFPLength() lives. Instead it calls
 * _valueComplete() which skips all number length validation.
 *
 * CWE-770: Allocation of Resources Without Limits or Throttling
 */
class AsyncParserNumberLengthBypassTest {

    private static final int MAX_NUMBER_LENGTH = 1000;
    private static final int TEST_NUMBER_LENGTH = 5000;

    private final JsonFactory factory = new JsonFactory();

    // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength
    @Test
    void syncParserRejectsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);
        
        // Output to console
        System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")");
        try {
            try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) {
                while (p.nextToken() != null) {
                    if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                        System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED");
                    }
                }
            }
            fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number");
        } catch (StreamConstraintsException e) {
            System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage());
        }
    }

    // VULNERABILITY: Async parser accepts the SAME number that sync rejects
    @Test
    void asyncParserAcceptsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);

        NonBlockingByteArrayJsonParser p =
            (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty());
        p.feedInput(payload, 0, payload.length);
        p.endOfInput();

        boolean foundNumber = false;
        try {
            while (p.nextToken() != null) {
                if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                    foundNumber = true;
                    String numberText = p.getText();
                    assertEquals(TEST_NUMBER_LENGTH, numberText.length(),
                        "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits");
                }
            }
            // Output to console
            System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED");
            assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token");
        } catch (StreamConstraintsException e) {
            fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage());
        }
        p.close();
    }

    private byte[] buildPayloadWithLongInteger(int numDigits) {
        StringBuilder sb = new StringBuilder(numDigits + 10);
        sb.append("{\"v\":");
        for (int i = 0; i < numDigits; i++) {
            sb.append((char) ('1' + (i % 9)));
        }
        sb.append('}');
        return sb.toString().getBytes(StandardCharsets.UTF_8);
    }
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.18.6, 2.21.1 or higher.

References

• GitHub Commit
• GitHub PR

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing input size validation when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values, causing the application to exhaust all available resources.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.15.0-rc1 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub PR

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Stack-based Buffer Overflow due to the parse process, which accepts an unlimited input file with deeply nested data. An attacker can cause a stack overflow and crash the application by providing input files with excessively deep nesting.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.15.0-rc1 or higher.

References

• GitHub Commit
• GitHub PR

Overview

com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow via the parsing of nested groups or series of SGROUP tags as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. An attacker can cause infinite recursion by sending malicious Protocol Buffer data.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.google.protobuf:protobuf-java to version 3.25.5, 4.27.5, 4.28.2 or higher.

References

• GitHub Commit
• GitHub Commit

Overview

commons-beanutils:commons-beanutils is a provides an easy-to-use but flexible wrapper around reflection and introspection.

Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the getProperty and getNestedProperty methods of the PropertyUtilsBean class. An attacker can execute arbitrary code by accessing the declaredClass property of Java enum objects, which allows access to the ClassLoader.

Note:

The BeanIntrospector class that can mitigate this vulnerability was added in version 1.9.2 but its usage was not enabled by default.

Remediation

Upgrade commons-beanutils:commons-beanutils to version 1.11.0 or higher.

References

• Apache Advisory
• GitHub Commit
• GitHub Commit

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when DNSSEC validation is enabled, due to a flaw in the DNSSEC specification. An attacker can send traffic from a malicious signed domain that occupies excessive CPU on the target system (keytrap).

Remediation

Upgrade dnsjava:dnsjava to version 3.6.0 or higher.

References

• BIND Advisory
• Git Commit
• GitHub Commit
• GitHub Commit
• PoC
• Vulnerability Advisory

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when DNSSEC validation is enabled, due to a flaw in the DNSSEC specification. An attacker can flood a resolver with NSEC3 closest encloser proof queries to consume excessive resources and deny service to other users (keytrap).

Remediation

Upgrade dnsjava:dnsjava to version 3.6.0 or higher.

References

• BIND advisory
• Git Commit
• GitHub Commit
• PoC
• Vulnerability Advisory

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the ThreadLimitHandler.getRemote() method. An attacker can exhaust the server's memory and trigger OutofMemory errors by repeatedly sending crafted requests.

Workaround

This vulnerability can be mitigated by not using ThreadLimitHandler and considering the use of QoSHandler instead to artificially limit resource utilization.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.4.56, 10.0.24, 11.0.24, 12.0.9 or higher.

References

• GitHub Commit
• GitHub PR
• GitLab Issue

Overview

log4j:log4j is a 1.x branch of the Apache Log4j project. Note: Log4j 1.x reached End of Life in 2015, and is no longer supported.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

There is no fixed version for log4j:log4j.

References

• Apache Mailing List
• Apache Security Advisory
• Atlassian Patch
• Reload4j Fix Commit

Overview

log4j:log4j is a 1.x branch of the Apache Log4j project. Note: Log4j 1.x reached End of Life in 2015, and is no longer supported.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104.

Note: this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default.

Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

There is no fixed version for log4j:log4j.

References

• Apache Mailing List
• Apache Security Advisory
• Atlassian Patch
• Reload4j Fix Commit

Overview

log4j:log4j is a 1.x branch of the Apache Log4j project. Note: Log4j 1.x reached End of Life in 2015, and is no longer supported.

Affected versions of this package are vulnerable to SQL Injection. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

Note: this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.

Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs.

Remediation

There is no fixed version for log4j:log4j.

References

• Apache Mailing List
• Apache Security Advisory
• Atlassian Patch
• Reload4j Fix Commit
• PoC in GitHub

Overview

org.apache.commons:commons-compress is an API for working with compression and archive formats.

Affected versions of this package are vulnerable to Infinite loop due to the improper handling of certain inputs during the parsing of dump files. An attacker can cause the application to enter an infinite loop by supplying crafted inputs.

Remediation

Upgrade org.apache.commons:commons-compress to version 1.26.0 or higher.

References

• Apache Lists
• GitHub Commit

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution via the StringSubstitutor interpolator object. Exploiting this vulnerability is possible when untrusted data flows into the StringSubstitutor.replace() or StringSubstitutor.replaceIn() methods.

Due to the nature of these methods as ones that process application data and not user input, a remote attacker would need prior access to a system in the affected environment positioned to supply such data.

Notes

The Nashorn scripting engine that can be used to exploit this vulnerability was available by default in JDKs up to 14.0.2. As of JDK 15, this vulnerability can only be exploited if another scripting engine has been added, such as JEXL.

Vulnerable lookups:

1. script - executes expressions using the JVM script execution engine (javax.script)

2. dns - resolves dns records

3. url - loads values from urls, including from remote servers

PoC

final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String out = interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}");
System.out.println(out);

Remediation

Upgrade org.apache.commons:commons-text to version 1.10.0 or higher.

References

• Apache Lists
• GitHub Commit
• GitHub PR
• GitHub Release
• Snyk Blog
• Nuclei Templates
• Exploit DB
• PoC in GitHub

Overview

Affected versions of this package are vulnerable to Arbitrary Code Injection when retrieving a driver via remote URI. Permissions are not sufficiently checked when allowing users to reference remote resources.

Remediation

Upgrade org.apache.nifi:nifi-record-serialization-services to version 1.23.0 or higher.

References

• Apache Mailing List
• Apache Nifi Advisory
• GitHub Commit
• GitHub PR

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.12.6.1, 2.13.2.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Issue
• GitHub PR

Overview

com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Affected versions of this package are vulnerable to Denial of Service (DoS). An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses.

Note: Protobuf javalite users are not affected.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.google.protobuf:protobuf-java to version 3.16.1, 3.18.2, 3.19.2 or higher.

References

• Chromium Bugs
• GitHub Commit
• GitHub Commit
• GitHub Commit
• Google Cloud Security Bulletin

Overview

com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Affected versions of this package are vulnerable to Denial of Service (DoS) in MessageReflection.java due to a text format parsing issue. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.google.protobuf:protobuf-java to version 3.16.3, 3.19.6, 3.20.3, 3.21.7 or higher.

References

• GitHub Commit
• GitHub PR

Overview

com.nimbusds:nimbus-jose-jwt is a library for JSON Web Tokens (JWT)

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a large JWE p2c header value (AKA iteration count) for the PasswordBasedDecrypter (PBKDF2) class. An attacker can cause resource consumption by specifying an excessively large iteration count.

Remediation

Upgrade com.nimbusds:nimbus-jose-jwt to version 9.37.2 or higher.

References

• Bitbucket Commit
• Bitbucket Issue

Overview

net.minidev:json-smart is a Java JSON parser.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object.

NOTE: Although this vulnerability was fixed in version 2.4.9 the maintainer recommends upgrading to 2.4.10, due to a remaining bug.

PoC

StringBuilder s = new StringBuilder();
for (int i = 0; i < 10000 ; i++) {
  s.append("{\"a\":");
}
s.append("1");
for (int i = 0; i < 10000 ; i++) {
  s.append("}");
}
JSONParser p = new JSONParser(JSONParser.MODE_JSON_SIMPLE);
p.parse(s.toString());

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade net.minidev:json-smart to version 2.4.9 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Issue

Overview

org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the Lookup functionality due to the ability to use certain insecure lookups that perform interpolation.

These lookups are:

1. script execute expressions using the JVM script execution engine (javax.script).

2. dns resolve DNS records.

3. url load values from URLs, including from remote servers.

CVSS Score Explanation:

This module is designed for secure configuration management. This implies that the files it handles should have limited access, whether local or remote. Remote attacks require basic privileges and server setup for remote commands. This aligns with AC:H and PR:L

Remediation

Upgrade org.apache.commons:commons-configuration2 to version 2.8 or higher.

References

• Apache Jira Issue
• Apache Security Thread
• GitHub Commit
• PoC in GitHub

Overview

org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats.

Affected versions of this package are vulnerable to Out-of-Bounds Write due to the improper handling of a cyclical object tree when calling the ListDelimiterHandler.flatten method. An attacker can trigger a StackOverflowError and potentially cause a denial of service condition by submitting a specially crafted configuration object.

Remediation

Upgrade org.apache.commons:commons-configuration2 to version 2.10.1 or higher.

References

• Apache Jira Issues
• Apache Thread
• GitHub Commit

Overview

org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats.

Affected versions of this package are vulnerable to Out-of-Bounds Write due to the improper handling of certain configurations in the AbstractListDelimiterHandler.flattenIterator method. An attacker can trigger a stack overflow by submitting a crafted configuration file or input, leading to a denial of service condition.

Remediation

Upgrade org.apache.commons:commons-configuration2 to version 2.10.1 or higher.

References

• Apache Jira Issues
• Apache Thread
• GitHub Commit

Overview

org.codehaus.jackson:jackson-mapper-asl is a high-performance data binding package built on Jackson JSON processor.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. via the DOMDeserializer.class file and its inner classes (DocumentDeserializer.class and NodeDeserializer.class) that uses the _parserFactory instance without restricting it from processing external XML entities when parsing user input.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

There is no fixed version for org.codehaus.jackson:jackson-mapper-asl.

For org.codehaus.jackson:jackson-all releases supporting jackson-mapper-asl. As a workaround, for 1.9.X release, the javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING setting can be enabled. For 2.x releases, the "javax.xml.stream.isSupportingExternalEntities setting can be set to FALSE.

References

• CVE-2019-10172 Remediation for Jackson Databind

• RedHat Bugzilla Bug

• StackOverflow CVE-2016-3720 Remediation - jackson-all

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the MetaDataBuilder.checkSize function. An attacker provide a very large or negative length value for the HTTP/2 HPACK header values. This can lead to an integer overflow, resulting in a very large buffer allocation on the server.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.53.v20231009, 10.0.16, 11.0.16 or higher.

References

• GitHub Commit
• GitHub PR
• GitHub Release
• GitHub Release
• GitHub Release

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can cause indefinite amounts of memory to be used by inputting a string of modest size. This can lead to a Denial of Service.

PoC

package orgjsonbug;

import org.json.JSONObject;

/**
 * Illustrates a bug in JSON-Java.
 */
public class Bug {
  private static String makeNested(int depth) {
    if (depth == 0) {
      return "{\"a\":1}";
    }
    return "{\"a\":1;\t\0" + makeNested(depth - 1) + ":1}";
  }

  public static void main(String[] args) {
    String input = makeNested(30);
    System.out.printf("Input string has length %d: %s\n", input.length(), input);
    JSONObject output = new JSONObject(input);
    System.out.printf("Output JSONObject has length %d: %s\n", output.toString().length(), output);
  }
}

Remediation

Upgrade org.json:json to version 20231013 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub Issue

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) in the XML.toJSONObject component via crafted JSON or XML data.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.json:json to version 20230227 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Issue
• GitHub Issue

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a missing upper bound check on chunk length in the SnappyInputStream function. An attacker can decompress data with an excessively large chunk size.

Remediation

Upgrade org.xerial.snappy:snappy-java to version 1.1.10.4 or higher.

References

• GitHub Commit

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) via the hasNextChunk function due to improper validation of the chunkSize variable value.

Exploiting this vulnerability is possible by passing a negative number (such as 0xFFFFFFFF, which is -1), which will cause the code to raise a java.lang.NegativeArraySizeException exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), raising the fatal java.lang.OutOfMemoryError error.

PoC

package org.example;
import org.xerial.snappy.SnappyInputStream;

import java.io.*;

public class Main {

    public static void main(String[] args) throws IOException {
        byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};
        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
        byte[] out = new byte[50];
        try {
            in.read(out);
        }
        catch (Exception ignored) {

        }
    }
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.xerial.snappy:snappy-java to version 1.1.10.1 or higher.

References

• GitHub Commit
• Vulnerable Code

Overview

org.apache.hadoop:hadoop-hdfs-client is an Apache Hadoop HDFS Client.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection due to the weakly configured javax.xml.parsers.DocumentBuilder XML parser.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

Upgrade org.apache.hadoop:hadoop-hdfs-client to version 3.3.5 or higher.

References

• GitHub Commit
• GitHub PR
• Jira Issue

Overview

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection where multiple components do not restrict XML External Entity references in the default configuration.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

Upgrade org.apache.nifi:nifi-security-kms to version 1.16.1 or higher.

References

• Apache Nifi Advisory
• Apache Thread
• GitHub Commit

Overview

Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data due to missing authentication in DNS responses. An attacker can manipulate DNS records and redirect network traffic or intercept sensitive information by injecting or altering DNS records from different zones in the communication channel.

Note:

This is only exploitable if the application utilizing DNSSEC does not implement additional checks on the relevance of DNS records to the original query.

Workaround

Users that are not able to upgrade to the fixed version can mitigate it by applying the following recommendations:

1. When using a ValidatingResolver, ignore any Server indications of whether or not data was available (e.g. NXDOMAIN, NODATA);

2. For APIs returning RRs from DNS responses, filter the RRs using an algorithm such as the one above. This includes e.g. LookupSession.lookupAsync;

3. Remove APIs dealing with raw DNS messages from the examples section or place a noticeable warning above.

Remediation

Upgrade dnsjava:dnsjava to version 3.6.0 or higher.

References

• GitHub Commit
• Red Hat Bugzilla Bug