CVE-2023-3635 - OpenCVE

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Amq Streams Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp
Squareup	Okio

Configuration 1 [-]

OR	cpe:2.3:a:squareup:okio::::::::
	cpe:2.3:a:squareup:okio::::::::

Package	CPE	Advisory	Released Date
Red Hat AMQ Streams 2.5.0
	cpe:/a:redhat:amq_streams:2	RHSA-2023:5165	2023-09-14T00:00:00Z
Red Hat Fuse 7.12.1
okio	cpe:/a:redhat:jboss_fuse:7	RHSA-2023:7247	2023-11-15T00:00:00Z
Red Hat JBoss Enterprise Application Platform Expansion Pack
okio	cpe:/a:redhat:jbosseapxp	RHSA-2024:3385	2024-05-28T00:00:00Z
RHPAM 7.13.5 async
okio	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2024:1353	2024-03-18T00:00:00Z

References

Link	Providers
https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b
https://nvd.nist.gov/vuln/detail/CVE-2023-3635
https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/
https://www.cve.org/CVERecord?id=CVE-2023-3635

History

No history.

MITRE

Status: PUBLISHED

Assigner: JFROG

Published: 2023-07-12T18:34:31.609Z

Updated: 2024-08-02T07:01:57.503Z

Reserved: 2023-07-12T12:46:57.470Z

Link: CVE-2023-3635

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-12T19:15:08.983

Modified: 2023-10-25T15:17:42.170

Link: CVE-2023-3635

Redhat

Severity : Important

Publid Date: 2023-07-12T00:00:00Z

Links: CVE-2023-3635 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3635", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "state": "PUBLISHED", "assignerShortName": "JFROG", "dateReserved": "2023-07-12T12:46:57.470Z", "datePublished": "2023-07-12T18:34:31.609Z", "dateUpdated": "2024-08-02T07:01:57.503Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://mvnrepository.com", "defaultStatus": "unaffected", "packageName": "com.squareup.okio:okio", "versions": [{"lessThan": "1.0.0", "status": "affected", "version": "0.5.0", "versionType": "maven"}, {"lessThan": "1.17.6", "status": "affected", "version": "1.0.0", "versionType": "maven"}, {"lessThan": "3.0.0", "status": "affected", "version": "2.0.0", "versionType": "maven"}, {"lessThan": "3.4.0", "status": "affected", "version": "3.0.0", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.</p>"}], "value": "GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-195", "description": "CWE-195: Signed to Unsigned Conversion Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2023-10-03T21:09:06.443Z"}, "references": [{"url": "https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/"}, {"url": "https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b"}], "source": {"discovery": "EXTERNAL"}, "title": "Okio GzipSource unhandled exception Denial of Service", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.503Z"}, "title": "CVE Program Container", "references": [{"url": "https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/", "tags": ["x_transferred"]}, {"url": "https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squareup:okio:*:*:*:*:*:*:*:*", "matchCriteriaId": "03403B65-FE42-46FB-B8DA-2AAFAD29C5F4", "versionEndExcluding": "1.17.6", "versionStartIncluding": "0.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:squareup:okio:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC8A3FE6-BD81-4D3D-9568-E364F5D35668", "versionEndExcluding": "3.4.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.\n\n"}, {"lang": "es", "value": "GzipSource no maneja una excepci\u00f3n que podr\u00eda surgir al analizar un b\u00fafer gzip malformado. Esto puede conducir a la denegaci\u00f3n de servicio del cliente Okio cuando se maneja un archivo GZIP manipulado, mediante el uso de la clase \"GzipSource\"."}], "id": "CVE-2023-3635", "lastModified": "2023-10-25T15:17:42.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "reefs@jfrog.com", "type": "Secondary"}]}, "published": "2023-07-12T19:15:08.983", "references": [{"source": "reefs@jfrog.com", "tags": ["Patch"], "url": "https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b"}, {"source": "reefs@jfrog.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/"}], "sourceIdentifier": "reefs@jfrog.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-681"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-195"}], "source": "reefs@jfrog.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5165", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.5.0", "release_date": "2023-09-14T00:00:00Z"}, {"advisory": "RHSA-2023:7247", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "okio", "product_name": "Red Hat Fuse 7.12.1", "release_date": "2023-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:3385", "cpe": "cpe:/a:redhat:jbosseapxp", "impact": "moderate", "package": "okio", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "release_date": "2024-05-28T00:00:00Z"}, {"advisory": "RHSA-2024:1353", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "okio", "product_name": "RHPAM 7.13.5 async", "release_date": "2024-03-18T00:00:00Z"}], "bugzilla": {"description": "okio: GzipSource class improper exception handling", "id": "2229295", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229295"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-248", "details": ["GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.", "A flaw was found in SquareUp Okio. A class GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This issue may allow a malicious user to start processing a malformed file, which can result in a Denial of Service (DoS)."], "name": "CVE-2023-3635", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Not affected", "package_name": "okio", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "okio", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Out of support scope", "package_name": "okio", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "impact": "low", "package_name": "okio", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Out of support scope", "package_name": "okio", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "okio", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "okio", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "okio", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/metrics-hawkular-metrics", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-logging-elasticsearch5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-metrics-hawkular-metrics", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "hadoop-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Affected", "package_name": "com.squareup.okio_okio", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "okio", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Will not fix", "impact": "low", "package_name": "okio", "product_name": "Red Hat support for Spring Boot"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "okio", "product_name": "streams for Apache Kafka"}], "public_date": "2023-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-3635\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3635"], "statement": "Red Hat JBoss Enterprise Application Platform XP does contain Okio package but is not using GzipSource.java, which is the affected class.\nRed Hat support for Spring Boot is considered low impact as it's used by Dekorate during compilation process and not included in the resulting Jar.", "threat_severity": "Important", "upstream_fix": "okio 3.4.0, okio 3.5.0"}