CVE-2023-5072 - Denial of Service in JSON-Java versions up to and including 20230618.

[elrob]

https://nvd.nist.gov/vuln/detail/CVE-2023-5072

GHSA-rm7j-f5g5-27vv

[johnjaylward]

Relates to #758, #759, #771, #772

[stleary]

@elrob Thanks for letting us know. As @johnjaylward posted, it seems to me that both vulnerabilities have been addressed and it is only necessary to cut a new release. I don't think any additional code changes are needed.

[TimoBuechert]

@stleary can you already tell when the new release with the fix will be created?
Thank you very much!

[stleary]

Yes, the new release will come out later today.

[Bhavitha-Chava]

Hi @stleary, Could you pls let me know when we can expect the release? Is there a lower version that we can use to avoid hitting this vulnerability

[stleary]

Release 20231013 is available, and is the earliest version that fixes the vulnerability. Have patience, it can take some time before it appears in the Maven repo.

[lhazlewood]

@stleary was it strictly necessary to require JDK 8 for this release? 20230618 was still JDK 7 compatible, but 20231013 is not.

[stleary]

@lhazlewood It was not strictly necessary.
How important is this to you?
What version of Java do you use?
Can you upgrade to Java 8?

[stleary]

@elrob @TimoBuechert Release 20231013 is now available in the Maven public repository.

[lhazlewood]

@stleary I maintain a library that is used with both Java and Android, and we support JDK 7 (at the moment) mostly for Android's purposes (which uses org.json APIs). That requirement for us is going away shortly however, and I did find a workaround using maven profiles to default to 20231013, with an override to 20230618 when compiling on JDK 7 for the time being.

[PayBas]

Haven't tested it thoroughly yet, but our main issue is that 20231013 seems to be included in the vulnerable versions in our Nexus Lifecycle tool:

Not sure if it's an administration error, or if they feel that 20231013 doesn't actually fix the vulnerability.

I'll try to contact SonaType to see whats up.

Update: opened support ticket:

https://nvd.nist.gov/vuln/detail/CVE-2023-5072 is marked as: "JSON-Java versions up to and including 20230618"
The developers assert that is has been resolved in version 20231013 #789

But Nexus IQ/Lifecycle says:
Recommendation
There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative > components or a potential mitigating control.
Version Affected
[20070829,20231013]

Any reason why SonaType would mark this specific version as vulnerable?

Update 2: apparently there's a dedicated place to submit corrections. So I've done so.
https://ossindex.sonatype.org/component/pkg:maven/org.json/json@20231013 will hopefully no longer be marked as vulnerable soon.

[stleary]

@PayBas Thanks for checking. Perhaps they found a different way to recreate the problem.