CVE-2024-21634

Ion Java StackOverflow vulnerability

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.

Amazon Ion es una implementación Java de la notación de datos de Ion. Antes de la versión 1.10.5, existe un posible problema de denegación de servicio en `ion-java` para aplicaciones que usan `ion-java` para deserializar datos codificados de texto Ion, o deserializar texto Ion o datos codificados binarios en `IonValue `modelo y luego invocar ciertos métodos `IonValue` en esa representación en memoria. Un actor podría crear datos de Ion que, cuando los carga la aplicación afectada y/o los procesa usando el modelo "IonValue", dan como resultado un "StackOverflowError" que se origina en la librería "ion-java". El parche está incluido en `ion-java` 1.10.5. Como workaround, no cargue datos que se hayan originado en una fuente que no sea de confianza o que puedan haber sido manipulados.

A vulnerability was found in Amazon Ion, an implementation of Ion data notation. Ion-java may be affected by denial of service (DoS) due to issues while deserializing encoded data into IonValue. A maliciously crafted Ion data structure may be processed and cause a StackOverflowError, leaving the application in an unreliable state.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-29 CVE Reserved
2024-01-03 CVE Published
2024-01-18 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6	2024-01-10
https://access.redhat.com/security/cve/CVE-2024-21634	2024-10-01
https://bugzilla.redhat.com/show_bug.cgi?id=2304311	2024-10-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Amazon Search vendor "Amazon"		Ion Search vendor "Amazon" for product "Ion"				< 1.10.5 Search vendor "Amazon" for product "Ion" and version " < 1.10.5"		-		Affected