Ion Java StackOverflow vulnerability
Description
Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in ion-java for applications that use ion-java to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library. The patch is included in ion-java 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.amazon.ion:ion-javaMaven | < 1.10.5 | 1.10.5 |
software.amazon.ion:ion-javaMaven | >= 0 | — |
Affected products
54- osv-coords53 versionspkg:apk/chainguard/opensearch-2-jre-bcfipspkg:apk/chainguard/opensearch-2-jre-bcfips-alertingpkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-icupkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-kuromojipkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-noripkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-phoneticpkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-smartcnpkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-stempelpkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-ukrainianpkg:apk/chainguard/opensearch-2-jre-bcfips-anomaly-detectionpkg:apk/chainguard/opensearch-2-jre-bcfips-asynchronous-searchpkg:apk/chainguard/opensearch-2-jre-bcfips-cross-cluster-replicationpkg:apk/chainguard/opensearch-2-jre-bcfips-crypto-kmspkg:apk/chainguard/opensearch-2-jre-bcfips-custom-codecspkg:apk/chainguard/opensearch-2-jre-bcfips-discovery-azure-classicpkg:apk/chainguard/opensearch-2-jre-bcfips-discovery-ec2pkg:apk/chainguard/opensearch-2-jre-bcfips-discovery-gcepkg:apk/chainguard/opensearch-2-jre-bcfips-geospatialpkg:apk/chainguard/opensearch-2-jre-bcfips-identity-shiropkg:apk/chainguard/opensearch-2-jre-bcfips-index-managementpkg:apk/chainguard/opensearch-2-jre-bcfips-ingest-attachmentpkg:apk/chainguard/opensearch-2-jre-bcfips-job-schedulerpkg:apk/chainguard/opensearch-2-jre-bcfips-k-nnpkg:apk/chainguard/opensearch-2-jre-bcfips-mapper-annotated-textpkg:apk/chainguard/opensearch-2-jre-bcfips-mapper-murmur3pkg:apk/chainguard/opensearch-2-jre-bcfips-mapper-sizepkg:apk/chainguard/opensearch-2-jre-bcfips-ml-commonspkg:apk/chainguard/opensearch-2-jre-bcfips-neural-searchpkg:apk/chainguard/opensearch-2-jre-bcfips-notificationspkg:apk/chainguard/opensearch-2-jre-bcfips-observabilitypkg:apk/chainguard/opensearch-2-jre-bcfips-performance-analyzerpkg:apk/chainguard/opensearch-2-jre-bcfips-reportingpkg:apk/chainguard/opensearch-2-jre-bcfips-repository-azurepkg:apk/chainguard/opensearch-2-jre-bcfips-repository-gcspkg:apk/chainguard/opensearch-2-jre-bcfips-repository-s3pkg:apk/chainguard/opensearch-2-jre-bcfips-securitypkg:apk/chainguard/opensearch-2-jre-bcfips-security-analyticspkg:apk/chainguard/opensearch-2-jre-bcfips-sqlpkg:apk/chainguard/opensearch-2-jre-bcfips-store-smbpkg:apk/chainguard/opensearch-2-jre-bcfips-telemetry-otelpkg:apk/chainguard/opensearch-2-jre-bcfips-transport-niopkg:apk/chainguard/wavefront-proxypkg:apk/chainguard/wavefront-proxy-compatpkg:apk/chainguard/wavefront-proxy-configpkg:apk/chainguard/wavefront-proxy-licensespkg:apk/chainguard/wavefront-proxy-oci-entrypointpkg:apk/wolfi/wavefront-proxypkg:apk/wolfi/wavefront-proxy-compatpkg:apk/wolfi/wavefront-proxy-configpkg:apk/wolfi/wavefront-proxy-licensespkg:apk/wolfi/wavefront-proxy-oci-entrypointpkg:maven/com.amazon.ion/ion-javapkg:maven/software.amazon.ion/ion-java
< 2.14.0-r0+ 52 more
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 13.4-r6
- (no CPE)range: < 13.4-r6
- (no CPE)range: < 13.4-r6
- (no CPE)range: < 13.4-r6
- (no CPE)range: < 13.4-r6
- (no CPE)range: < 13.4-r6
- (no CPE)range: < 13.4-r6
- (no CPE)range: < 13.4-r6
- (no CPE)range: < 13.4-r6
- (no CPE)range: < 13.4-r6
- (no CPE)range: < 1.10.5
- (no CPE)range: >= 0
- amazon-ion/ion-javav5Range: < 1.10.5
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-264p-99wq-f4j6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21634ghsaADVISORY
- github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6ghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20241108-0002ghsaWEB
News mentions
0No linked articles in our index yet.