An update for jettison is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1914 Final 1.0 1.0 2023-12-15 Initial 2023-12-15 2023-12-15 openEuler SA Tool V1.0 2023-12-15 jettison security update An update for jettison is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. Jettison is a collection of Java APIs (like STaX and DOM) which read and write JSON. This allows nearly transparent enablement of JSON based web services in services frameworks like CXF or XML serialization frameworks like XStream. Security Fix(es): Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.(CVE-2022-40149) Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.(CVE-2022-40150) A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.(CVE-2022-45685) Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.(CVE-2022-45693) An update for jettison is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High jettison https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1914 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-40149 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-40150 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-45685 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-45693 https://nvd.nist.gov/vuln/detail/CVE-2022-40149 https://nvd.nist.gov/vuln/detail/CVE-2022-40150 https://nvd.nist.gov/vuln/detail/CVE-2022-45685 https://nvd.nist.gov/vuln/detail/CVE-2022-45693 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 jettison-1.5.4-1.oe1.noarch.rpm jettison-javadoc-1.5.4-1.oe1.noarch.rpm jettison-1.5.4-1.oe1.noarch.rpm jettison-javadoc-1.5.4-1.oe1.noarch.rpm jettison-1.5.4-1.oe2203.noarch.rpm jettison-javadoc-1.5.4-1.oe2203.noarch.rpm jettison-javadoc-1.5.4-1.oe2203sp1.noarch.rpm jettison-1.5.4-1.oe2203sp1.noarch.rpm jettison-javadoc-1.5.4-1.oe2203sp2.noarch.rpm jettison-1.5.4-1.oe2203sp2.noarch.rpm jettison-1.5.4-1.oe1.src.rpm jettison-1.5.4-1.oe1.src.rpm jettison-1.5.4-1.oe2203.src.rpm jettison-1.5.4-1.oe2203sp1.src.rpm jettison-1.5.4-1.oe2203sp2.src.rpm Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. 2023-12-15 CVE-2022-40149 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H jettison security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1914 Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack. 2023-12-15 CVE-2022-40150 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H jettison security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1914 A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data. 2023-12-15 CVE-2022-45685 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H jettison security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1914 Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. 2023-12-15 CVE-2022-45693 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H jettison security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1914