hazelcast 5.3.6 fixing org.json:json OOM CVE-2023-5072

Description

Upgrade hazelcast from 5.3.2 to >= 5.3.5.

hazelcast 5.3.2 contains relocated org.json:json:20230227:
https://github.com/hazelcast/hazelcast/blob/v5.3.2/hazelcast/pom.xml#L515
https://github.com/hazelcast/hazelcast/blob/v5.3.2/hazelcast/pom.xml#L191-L198

org.json:json:20230227 is vulnerable, a bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used: https://nvd.nist.gov/vuln/detail/CVE-2023-5072

hazelcast 5.3.5 with everit-json-schema:1.14.3 with the fix has been released:
https://github.com/hazelcast/hazelcast/commits/v5.3.5

To prevent out of memory (OOM) issues and attacks please upgrade hazelcast.

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

defines

SECURITY-26

CVE-2023-5072 org.json:json OOM. Analysis of vulnerability

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch December 20, 2023 at 12:37 PM

Works for me on Poppy bugfest environment.

JenkinsNotifications December 18, 2023 at 3:20 PM

Deployed to the Poppy bf env. Moved status to In bugfix review from status Awaiting deployment. Please proceed with the verification.

Done

Details

Assignee

Julian Ladisch

Reporter

Julian Ladisch

Labels

security

Priority

TBD

Development Team

Volaris

Fix versions

3.0.1

Release

Poppy (R2 2023) Bug Fix

RCA Group

Related dependency upgrade

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created November 16, 2023 at 8:02 PM

Updated December 20, 2023 at 12:37 PM

Resolved November 17, 2023 at 10:43 AM

Configure

TestRail: Cases

TestRail: Runs