Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deserialization of Untrusted Data in com.jsoniter:jsoniter [CVE-2021-23441] #303

Open
RalphSteinhagen opened this issue Sep 21, 2021 · 7 comments
Open

Deserialization of Untrusted Data in com.jsoniter:jsoniter [CVE-2021-23441] #303

RalphSteinhagen opened this issue Sep 21, 2021 · 7 comments

Comments

@RalphSteinhagen
Copy link

CVE-2021-23441 flagged here:

Description
All versions of package com.jsoniter:jsoniter are vulnerable to Deserialization of Untrusted Data via malicious JSON strings. This may lead to a Denial of Service, and in certain cases, code execution.

References
https://nvd.nist.gov/vuln/detail/CVE-2021-23441
https://snyk.io/vuln/SNYK-JAVA-COMJSONITER-1316198

Does somebody have a patch/fix for this that could be merged and then released? Any help would be much appreciated!
@dagnelies
Copy link

I just had a closer look at this CVE out of curiosity and I'm rather dumbfolded ...is it just me, or is it just plain nonsense?!

@plokhotnyuk
Copy link
Contributor

plokhotnyuk commented Oct 6, 2021
edited
Loading

While code snippets from snyk.io look harmless there are can be some real vulnerabilities:

  1. DoS attack that exploits O(n)^2 complexity of parsing some classes (where n is number of input characters) like BigInteger/BigDecimal;
  2. DoS attack that exploits OutOfMemory errors during parsing of some classes like BitSets;
  3. DoS attack that exploits StackOverflow errors during parsing of deeply nested JSON objects/arrays (or recursive classes);
  4. RCE attack that exploits the ability to parse unregistered class by type discriminator from the input.

I don't know if any of them exists for json-iterator yet.

An acceptable solution for possible DoS attacks would be introducing some configurable limits (max number of digits, max bitset value, max level of nesting, etc.) with reasonable defaults.

Here and here are examples of how DoS vulnerabilities of json4s library were tested with jsoniter-scala harness.

@plokhotnyuk
Copy link
Contributor

I found more detailed samples here

@xsun12
Copy link

xsun12 commented Oct 26, 2021
edited
Loading

@plokhotnyuk

I found more detailed samples here

Telegram is not accessible from my part of the world. Can someone copy the detailed samples here?

@plokhotnyuk
Copy link
Contributor

@xsun12 4_5960538858721381440.pdf

@dagnelies
Copy link

@plokhotnyuk I don't see why any of that is problematic. It's ridiculous. There is no DoS or any vulnerability inside this pdf. It's just calling the setters. It's just what setters are for, it's the expected behaviour and I think all other json libs works exactly like this. Anything else would seem strange to me.

Also, regarding the "potential" vulnerabilities, isn't the role of a vulnerability report to proove that there is one, instead of "well, maybe there is something, no idea though, I haven't any working example".

@dagnelies
Copy link

dagnelies commented Oct 26, 2021
edited
Loading

It would be nice if they would actually provide some real DoS or RCE example instead of alarming the world with unfounded claims and pure speculations.

PS: I'm not affiliated with this project in any way ...it just popped up in one of my projects as dependency alarm

PS @plokhotnyuk : Thanks for the link ...it's a pity that such a "CVE" is published without even being reviewed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@plokhotnyuk @xsun12 @dagnelies @RalphSteinhagen