A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6177-1 advisory.

    It was discovered that Jettison incorrectly handled certain inputs. If a user or an automated system were     tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to     cause a denial of service.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of jettison installed on the remote host is prior to 1.3.3-4. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2086 advisory.

  - Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks     (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the     parser to crash by Out of memory. This effect may support a denial of service attack. (CVE-2022-40150)

  - A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted     JSON data. (CVE-2022-45685)

  - Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This     vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. (CVE-2022-45693)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the jettison package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted     JSON data. (CVE-2022-45685)

  - Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This     vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. (CVE-2022-45693)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the April 2023 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including:

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console     (Apache Commons FileUpload)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and     14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.
    (CVE-2023-24998)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples     (XStream)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic     Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of Oracle WebLogic Server. (CVE-2022-40152)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Third Party     (Apache Commons Compress)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. (CVE-2021-36090)

  Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5312 advisory.

  - Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks     (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the     parser to crash by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40149)

  - Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks     (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the     parser to crash by Out of memory. This effect may support a denial of service attack. (CVE-2022-40150)

  - A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted     JSON data. (CVE-2022-45685)

  - Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This     vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. (CVE-2022-45693)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3259 advisory.

  - Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks     (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the     parser to crash by Out of memory. This effect may support a denial of service attack. (CVE-2022-40150)

  - A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted     JSON data. (CVE-2022-45685)

  - Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This     vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. (CVE-2022-45693)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
177430	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS : Jettison vulnerabilities (USN-6177-1)	Nessus	Ubuntu Local Security Checks	high
177187	Amazon Linux 2 : jettison (ALAS-2023-2086)	Nessus	Amazon Linux Local Security Checks	high
177021	EulerOS 2.0 SP5 : jettison (EulerOS-SA-2023-2151)	Nessus	Huawei Local Security Checks	high
174464	Oracle WebLogic Server (Apr 2023 CPU)	Nessus	Misc.	high
169917	Debian DSA-5312-1 : libjettison-java - security update	Nessus	Debian Local Security Checks	high
169447	Debian DLA-3259-1 : libjettison-java - LTS security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2022-45685

high

Tenable Plugins

high

high

high

high

high

high