{
  "threat_severity" : "Important",
  "public_date" : "2024-01-03T00:00:00Z",
  "bugzilla" : {
    "description" : "ion-java: ion-java: Ion Java StackOverflow vulnerability",
    "id" : "2304311",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2304311"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.", "A vulnerability was found in Amazon Ion, an implementation of Ion data notation. Ion-java may be affected by denial of service (DoS) due to issues while deserializing encoded data into IonValue. A maliciously crafted Ion data structure may be processed and cause a StackOverflowError, leaving the application in an unreliable state." ],
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:7442",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:7441",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
    "package" : "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:7441",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
    "package" : "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:7441",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
    "package" : "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:7441",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
    "package" : "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:7441",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
    "package" : "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:7441",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
    "package" : "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:7441",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
    "package" : "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:7441",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
    "package" : "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap"
  } ],
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "software.amazon.ion/ion-java",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 3",
    "fix_state" : "Not affected",
    "package_name" : "software.amazon.ion/ion-java",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Not affected",
    "package_name" : "software.amazon.ion/ion-java",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Not affected",
    "package_name" : "software.amazon.ion/ion-java",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Not affected",
    "package_name" : "software.amazon.ion/ion-java",
    "cpe" : "cpe:/a:redhat:quarkus:3",
    "impact" : "important"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "software.amazon.ion/ion-java",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Not affected",
    "package_name" : "software.amazon.ion/ion-java",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Not affected",
    "package_name" : "software.amazon.ion/ion-java",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "ion-java",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "ion-java",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-21634\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21634\nhttps://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6" ],
  "name" : "CVE-2024-21634",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}