Security Advisories

CGA-qrmh-pg87-6p4r

Published

Last updated

https://images.chainguard.dev/security/CGA-qrmh-pg87-6p4r

Package

opensearch-2-jre-bcfips

Latest Update

Fixed

Fixed Version

2.14.0-r0

Aliases

Severity

7.5

High

CVSS V3

Summary

Ion Java StackOverflow vulnerability

Description

Impact

A potential denial-of-service issue exists in ion-java for applications that use ion-java to:

Deserialize Ion text encoded data, or
Deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation.

An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library.

Impacted versions: <1.10.5

Patches

The patch is included in ion-java >= 1.10.5.

Workarounds

Do not load data which originated from an untrusted source or that could have been tampered with. Only load data you trust.

If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] https://aws.amazon.com/security/vulnerability-reporting

References

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CGA-qrmh-pg87-6p4r

Severity

Summary

Description

Impact

Patches

Workarounds

References

Updates

Product

Why Chainguard

Customers

Company

Resources