230 lines
13 KiB
XML
230 lines
13 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
|
<DocumentTitle xml:lang="en">An update for jettison is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2</DocumentTitle>
|
|
<DocumentType>Security Advisory</DocumentType>
|
|
<DocumentPublisher Type="Vendor">
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
|
</DocumentPublisher>
|
|
<DocumentTracking>
|
|
<Identification>
|
|
<ID>openEuler-SA-2023-1914</ID>
|
|
</Identification>
|
|
<Status>Final</Status>
|
|
<Version>1.0</Version>
|
|
<RevisionHistory>
|
|
<Revision>
|
|
<Number>1.0</Number>
|
|
<Date>2023-12-15</Date>
|
|
<Description>Initial</Description>
|
|
</Revision>
|
|
</RevisionHistory>
|
|
<InitialReleaseDate>2023-12-15</InitialReleaseDate>
|
|
<CurrentReleaseDate>2023-12-15</CurrentReleaseDate>
|
|
<Generator>
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
|
<Date>2023-12-15</Date>
|
|
</Generator>
|
|
</DocumentTracking>
|
|
<DocumentNotes>
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">jettison security update</Note>
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for jettison is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2.</Note>
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Jettison is a collection of Java APIs (like STaX and DOM) which read and write JSON. This allows nearly transparent enablement of JSON based web services in services frameworks like CXF or XML serialization frameworks like XStream.
|
|
|
|
Security Fix(es):
|
|
|
|
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.(CVE-2022-40149)
|
|
|
|
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.(CVE-2022-40150)
|
|
|
|
A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.(CVE-2022-45685)
|
|
|
|
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.(CVE-2022-45693)</Note>
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for jettison is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2.
|
|
|
|
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">jettison</Note>
|
|
</DocumentNotes>
|
|
<DocumentReferences>
|
|
<Reference Type="Self">
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1914</URL>
|
|
</Reference>
|
|
<Reference Type="openEuler CVE">
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-40149</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-40150</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-45685</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-45693</URL>
|
|
</Reference>
|
|
<Reference Type="Other">
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-40149</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-40150</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-45685</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-45693</URL>
|
|
</Reference>
|
|
</DocumentReferences>
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
|
<Branch Type="Product Name" Name="openEuler">
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">openEuler-22.03-LTS-SP1</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">openEuler-22.03-LTS-SP2</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="noarch">
|
|
<FullProductName ProductID="jettison-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jettison-1.5.4-1.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-javadoc-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jettison-javadoc-1.5.4-1.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">jettison-1.5.4-1.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-javadoc-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">jettison-javadoc-1.5.4-1.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">jettison-1.5.4-1.oe2203.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-javadoc-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">jettison-javadoc-1.5.4-1.oe2203.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-javadoc-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">jettison-javadoc-1.5.4-1.oe2203sp1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">jettison-1.5.4-1.oe2203sp1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-javadoc-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">jettison-javadoc-1.5.4-1.oe2203sp2.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">jettison-1.5.4-1.oe2203sp2.noarch.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="src">
|
|
<FullProductName ProductID="jettison-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jettison-1.5.4-1.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">jettison-1.5.4-1.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">jettison-1.5.4-1.oe2203.src.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">jettison-1.5.4-1.oe2203sp1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="jettison-1.5.4-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">jettison-1.5.4-1.oe2203sp2.src.rpm</FullProductName>
|
|
</Branch>
|
|
</ProductTree>
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2023-12-15</ReleaseDate>
|
|
<CVE>CVE-2022-40149</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP2</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.5</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>jettison security update</Description>
|
|
<DATE>2023-12-15</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1914</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2023-12-15</ReleaseDate>
|
|
<CVE>CVE-2022-40150</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP2</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.5</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>jettison security update</Description>
|
|
<DATE>2023-12-15</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1914</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2023-12-15</ReleaseDate>
|
|
<CVE>CVE-2022-45685</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP2</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.5</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>jettison security update</Description>
|
|
<DATE>2023-12-15</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1914</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="4" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="4" xml:lang="en">Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2023-12-15</ReleaseDate>
|
|
<CVE>CVE-2022-45693</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP2</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.5</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>jettison security update</Description>
|
|
<DATE>2023-12-15</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1914</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
</cvrfdoc> |