Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

CVE-2023-5072 org.json:json OOM. Analysis of vulnerability

Description

Severity: High
Modules impacted:
mod-remote-storage Volaris

A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

Link: https://nvd.nist.gov/vuln/detail/CVE-2023-5072
Package Name: org.json:json
Fixed in org.json:json:20231013

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch December 22, 2023 at 9:32 AM

mod-remote-storage 3.0.1 with the fix has been released: https://github.com/folio-org/mod-remote-storage/releases/tag/v3.0.1

Julian Ladisch November 23, 2023 at 4:14 PM

mod-remote-storage has the fix on master branch but no release yet.

Julian Ladisch November 16, 2023 at 7:52 PM
Edited

hazelcast-5.3.2.jar relocates everit-json-schema:1.14.2 and org.json:json:

https://github.com/hazelcast/hazelcast/blob/v5.3.2/hazelcast/pom.xml#L515
https://github.com/hazelcast/hazelcast/blob/v5.3.2/hazelcast/pom.xml#L191-L198

Therefore we can upgrade neither org.json:json nor everit-json-schema in mod-remote-storage.

everit-json-schema:1.14.3 with fixed org.json:json:20231013 has been released:
https://github.com/everit-org/json-schema/releases/tag/1.14.3

hazelcast 5.3.5 with everit-json-schema:1.14.3 has been released:
https://github.com/hazelcast/hazelcast/commits/v5.3.5

Denis November 16, 2023 at 6:18 PM


mod-remote-storage version is v3.0.0.
Looks like the fat jar contains hazelcast-5.3.2.jar and that uses org.json_json 20230227
META-INF/maven/org.json/json/pom.properties

Craig McNally November 9, 2023 at 4:30 PM

Kick back to EBSCO to investigate further and provided more information

Done

Details

Assignee

Reporter

Priority

RCA Group

TBD

Labels

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created November 1, 2023 at 9:18 PM
Updated May 3, 2024 at 9:07 AM
Resolved January 11, 2024 at 4:15 PM
TestRail: Cases
TestRail: Runs