CVE-2023-1370:Stack Exhaustion Vulnerability in Json-smart Leads to Denial of Service

splash
Back

Description Preview

A vulnerability in Json-smart, a performance-focused JSON processor library, allows attackers to cause a denial of service condition through stack exhaustion. When parsing deeply nested JSON structures containing arrays or objects, the library performs recursive parsing without limiting the nesting depth. This can lead to stack overflow and application crashes when processing maliciously crafted JSON input.

Overview

Json-smart is a widely used JSON processing library designed for performance. The vulnerability (CVE-2023-1370) exists in the library's parsing mechanism for arrays and objects. When the parser encounters opening brackets ('[' or '{') in JSON input, it processes these structures recursively without implementing any depth limits. An attacker can exploit this by crafting a JSON payload with excessively nested arrays or objects, causing the application to exhaust its stack space and crash. This constitutes a denial of service vulnerability (CWE-674: Uncontrolled Recursion) that affects applications using the Json-smart library to parse untrusted JSON data.

Remediation

To mitigate this vulnerability, consider the following actions:

  1. Update to the latest version of Json-smart if a patched version is available.
  2. Implement input validation to reject JSON with excessive nesting before passing it to Json-smart.
  3. Consider using alternative JSON parsing libraries with configurable depth limits.
  4. If continuing to use vulnerable versions, implement a pre-processing step to check the nesting depth of JSON inputs.
  5. Monitor application logs for stack overflow errors that might indicate exploitation attempts.
  6. Consider increasing the JVM stack size as a temporary workaround, though this does not fix the underlying issue.

References

  1. JFrog Research: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
  2. NetApp Security Advisory: https://security.netapp.com/advisory/ntap-20240621-0006/
  3. Json-smart Project: https://netplex.github.io/json-smart/
  4. CWE-674: Uncontrolled Recursion: https://cwe.mitre.org/data/definitions/674.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Public Administration
    Public Administration
  3. Health Care & Social Assistance
    Health Care & Social Assistance
  4. Transportation & Warehousing
    Transportation & Warehousing
  5. Finance and Insurance
    Finance and Insurance
  6. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  7. Retail Trade
    Retail Trade
  8. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  9. Utilities
    Utilities
  10. Other Services (except Public Administration)
    Other Services (except Public Administration)
  11. Educational Services
    Educational Services
  12. Management of Companies & Enterprises
    Management of Companies & Enterprises
  13. Wholesale Trade
    Wholesale Trade
  14. Accommodation & Food Services
    Accommodation & Food Services
  15. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  16. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  17. Construction
    Construction
  18. Information
    Information
  19. Mining
    Mining
  20. Real Estate Rental & Leasing
    Real Estate Rental & Leasing

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database