Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-1370 (High) detected in json-smart-2.4.7.jar #2710

Closed
Bogendra opened this issue Apr 19, 2023 · 4 comments
Closed

CVE-2023-1370 (High) detected in json-smart-2.4.7.jar #2710

Bogendra opened this issue Apr 19, 2023 · 4 comments
Labels
untriaged Require the attention of the repository maintainers and may need to be prioritized

Comments

@Bogendra
Copy link

According to JFrog it is fixed in 2.4.10
https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/

We are using affected versions: 2.4.0 ,2.5.0 and even 2.6.0 are using the problematic json-smart-2.4.7.
Please release a version that uses a new version of json-smart that has a fix for this issue.
Thanks!
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Apr 19, 2023
@stephen-crawford
Copy link
Contributor

Hi @Bogendra, we corrected this CVE for all supported versions as part of this pull request: #2606. 2.6.0 no longer uses the json-smart version impacted by this issue. Closing this issue as addressed but please reopen it if you feel you would like to discuss things further.

@Bogendra
Copy link
Author

Hi @Bogendra, we corrected this CVE for all supported versions as part of this pull request: opensearch-project/documentation-website#2606. 2.6.0 no longer uses the json-smart version impacted by this issue. Closing this issue as addressed but please reopen it if you feel you would like to discuss things further.

Thanks @scrawfor99 for the quick response. I see that the fix has been backported to the 2.6 via 2631. But when I download the latest 2.6.0 release from the Open search official site, I still see the old json-smart-2.4.7 version instead. Am I missing something here?
Or is it targeted to be part of the 2.7 (to be released on 25th of April) ? Please point me to the release that contains this fix so that I can download and point my security team for the usage.
Thanks!

@stephen-crawford
Copy link
Contributor

stephen-crawford commented Apr 20, 2023
edited
Loading

Hi @Bogendra, I understand the confusion here. So looking at the download link, it seems that the version attached to the website page you linked is the original 2.6.0 release. Basically, it is the version of opensearch that existed on the day of the 2.6.0 release and has no changes that have been retroactively applied. If you would like the most up-to-date version of the project you have a couple options: 1) You can use docker to pull the image from here; 2) you can grab the most recent build by manually building the package of files from the github repository and following the installation process. The patch will also be available on the 2.7.0 release as you mentioned.

I realize that this is a bit confusing and less than ideal so I am going to reach out to the opensearch-build repository to see what can be done for attaching the most recent build to the website so that in the future you will get the corrected versions as soon as they are available.

The two issues I made:

opensearch-project/project-website#1582

opensearch-project/opensearch-build#3426

This was referenced Apr 20, 2023
Closed
Open
@Bogendra
Copy link
Author

Hi @Bogendra, I understand the confusion here. So looking at the download link, it seems that the version attached to the website page you linked is the original 2.6.0 release. Basically, it is the version of opensearch that existed on the day of the 2.6.0 release and has no changes that have been retroactively applied. If you would like the most up-to-date version of the project you have a couple options: 1) You can use docker to pull the image from here; 2) you can grab the most recent build by manually building the package of files from the github repository and following the installation process. The patch will also be available on the 2.7.0 release as you mentioned.

I realize that this is a bit confusing and less than ideal so I am going to reach out to the opensearch-build repository to see what can be done for attaching the most recent build to the website so that in the future you will get the corrected versions as soon as they are available.

The two issues I made:

opensearch-project/project-website#1582

opensearch-project/opensearch-build#3426

Thanks @scrawfor99 for the reply. Yes, the ideal way would be for the downloads link reflecting any changes that have been applied to a specific version. It can have multiple releases with description of the changes/issues fixed if that helps. Either way having these available on the download page makes it much easier than building manually or waiting for the next release to contain these patches. Thanks again for creating the respective issues to update the download page.
Please do let me know if you need anything else from my end to get this going.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
untriaged Require the attention of the repository maintainers and may need to be prioritized
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Bogendra @stephen-crawford