Closed ZanderHuang closed 2 years ago
Thank you for reporting this issue: sounds like sub-optimal handling.
I am not sure I see DoS aspect itself as exceptions are the mechanism to use for many kinds of invalid data, but in this case handling should produce package-specified exception, not accidental NPE.
Description
This vulnerability is of Uncaught Exception for
java.lang.IllegalArgumentException
incom.fasterxml.jackson.dataformat, jackson-dataformat-ion
(2.13.0, the latest version) withcom.amazon.ion, ion-java
(1.8.3, the latest version). Specifically, it fails to check the runtime exceptionjava.lang.IllegalArgumentException
in functioncom.fasterxml.jackson.dataformat.ion.IonParser.getEmbeddedObject()
( IonParser.java: 434 ).The attackers can launch DoS (Denial of Service) attacks to any program that directly uses this library (CWE-2248: Uncaught exception).
The vulnerable code:
The crash stack:
Proof of Concept
Fix suggestion
Wrap this kind of exception as a type of exception the library provided, e.g. IonException. Maybe the fix should not only in jackson but also in its dependent ion-java package.
Impact
The attackers can launch DoS (Denial of Service) attacks to any program that directly uses this library (CWE-2248: Uncaught exception).