Tag :
Cyber Security

1. Summary

Vulnerability Name

Apache Johnzon Deserialization of Untrusted Data Vulnerability (CVE-2023-33008)
Release Date

July 13, 2023
Component Name

Apache Johnzon
Affected Versions

Apache Johnzon < 1.2.21
Vulnerability Type

CWE-502: Deserialization of Untrusted Data
Severity

CVSS v3 Base Score: 5.3 (Medium)
Exploitability

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None
Impact

Confidentiality Impact: None

Integrity Impact: None

Availability Impact: Low

2. About the Vulnerability CVE-2023-33008

2.1 Introduction

Apache Johnzon is a lightweight Java library used for parsing and generating JSON (JavaScript Object Notation) data.

2.2 Summary

On July 13, 2023, Sangfor FarSight Labs detected a deserialization of untrusted data vulnerability in the Apache Johnzon, identified as CVE-2023-33008, with a severity rating of Medium (CVSS Score 5.3).

The vulnerability arises because Apache Johnzon does not perform adequate checks on input data during the deserialization process. A malicious attacker can exploit the vulnerability by crafting JSON input that contains large numbers (e.g., 1e20000000). When Apache Johnzon attempts to deserialize this input, it interprets the large number as a BigDecimal and may trigger the conversion to a BigInteger using BigDecimal#toBigInteger().

The conversion from BigDecimal to BigInteger can be very slow, especially when dealing with extremely large BigDecimal numbers. The attacker can leverage this slow conversion by sending a significant amount of JSON data containing such large numbers to force Apache Johnzon to repeatedly perform the slow BigDecimal#toBigInteger() conversion. This resource-intensive operation can put a strain on the system's processing capabilities, potentially leading to a Denial of Service (DoS) risk.

3. Affected Versions

Apache Johnzon < 1.2.21

4. Solutions

4.1 Apache Solution

4.1.1 Version Upgrade

Apache has released a new version of Johnzon to fix the vulnerability. Users are recommended to upgrade to the latest version.

Link: https://johnzon.apache.org/download.html

5. Timeline

On July 13, 2023, Sangfor FarSight Labs received a notice about the Apache Johnzon Denial of Service Vulnerability (CVE-2023-33008).

On July 13, 2023, Sangfor FarSight Labs released a vulnerability alert.

6. Reference

https://issues.apache.org/jira/browse/JOHNZON-397

https://nvd.nist.gov/vuln/detail/CVE-2023-33008

7. Learn More

Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.

Listen To This Post

Search

Keyword maximum 256 character

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Name
Email Address
Business Phone Number
Tell us about your project requirements

Related Articles

CVE-2024-47575: Fortinet FortiManager Authentication Vulnerability

Date : 25 Oct 2024
Read Now

CVE-2024-38819: Path Traversal Vulnerability

Date : 19 Oct 2024
Read Now

CVE-2024-40766: SonicWALL SonicOS Access Control Flaw Vulnerability

Date : 12 Sep 2024
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
Platform-X
Sangfor Access Secure

Meet the Author

About Sangfor

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • facebook
  • twitter
  • linkedin
  • youtube
  • instagram
See Author's Detail