First published: Wed Jan 03 2024(Updated: )
### Impact A potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to: * Deserialize Ion text encoded data, or * Deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. Impacted versions: <1.10.5 ### Patches The patch is included in `ion-java` >= 1.10.5. ### Workarounds Do not load data which originated from an untrusted source or that could have been tampered with. **Only load data you trust.** ---- If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. [1] https://aws.amazon.com/security/vulnerability-reporting
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Amazon Ion | <1.10.5 | |
maven/software.amazon.ion:ion-java | <1.10.5 | |
maven/com.amazon.ion:ion-java | <1.10.5 | 1.10.5 |
IBM Cognos Analytics | <=12.0.0-12.0.2 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.