A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.

vendor_unpatched cve-2022-45685: Unpatched CVEs for Ubuntu Linux (cve-2022-45685)

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6177-1 advisory.

    It was discovered that Jettison incorrectly handled certain inputs. If a user or an automated system were     tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to     cause a denial of service.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of jettison installed on the remote host is prior to 1.3.3-4. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2086 advisory.

    2024-02-01: CVE-2022-40150 was added to this advisory.

    Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks     (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the     parser to crash by Out of memory. This effect may support a denial of service attack. (CVE-2022-40150)

    A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted     JSON data. (CVE-2022-45685)

    Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This     vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. (CVE-2022-45693)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the jettison package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted     JSON data. (CVE-2022-45685)

  - Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This     vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. (CVE-2022-45693)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the April 2023 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including:

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console     (Apache Commons FileUpload)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and     14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.
    (CVE-2023-24998)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples     (XStream)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic     Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of Oracle WebLogic Server. (CVE-2022-40152)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Third Party     (Apache Commons Compress)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. (CVE-2021-36090)

  Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5312 advisory.

  - Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks     (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the     parser to crash by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40149)

  - Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks     (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the     parser to crash by Out of memory. This effect may support a denial of service attack. (CVE-2022-40150)

  - A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted     JSON data. (CVE-2022-45685)

  - Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This     vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. (CVE-2022-45693)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3259 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3259-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Markus Koschany     December 31, 2022                             https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : libjettison-java     Version        : 1.5.3-1~deb10u1     CVE ID         : CVE-2022-40150 CVE-2022-45685 CVE-2022-45693     Debian Bug     : 1022553

    Several flaws have been discovered in libjettison-java, a     collection of StAX parsers and writers for JSON. Specially crafted user input     may cause a denial of service via out-of-memory or stack overflow errors.

    In addition a build failure related to the update was fixed in jersey1.

    For Debian 10 buster, these problems have been fixed in version     1.5.3-1~deb10u1.

    We recommend that you upgrade your libjettison-java packages.

    For the detailed security status of libjettison-java please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/libjettison-java

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
177430	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS : Jettison vulnerabilities (USN-6177-1)	Nessus	Ubuntu Local Security Checks	high
177187	Amazon Linux 2 : jettison (ALAS-2023-2086)	Nessus	Amazon Linux Local Security Checks	high
177021	EulerOS 2.0 SP5 : jettison (EulerOS-SA-2023-2151)	Nessus	Huawei Local Security Checks	high
174464	Oracle WebLogic Server (Apr 2023 CPU)	Nessus	Misc.	high
169917	Debian DSA-5312-1 : libjettison-java - security update	Nessus	Debian Local Security Checks	high
169447	Debian dla-3259 : libjettison-java - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2022-45685

high

Tenable Plugins

Coming Soon

high

high

high

high

high

high