Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12cjY0LXI5cWotaDI3Zs4AA5o_
Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service
Any program on the JVM may read serialized objects via java.io.ObjectInputStream.readObject(). Reading serialized objects from an untrusted source is inherently unsafe (this affects any program running on any version of the JVM) and is a prerequisite for this vulnerability.
Clojure classes that represent infinite seqs (Cycle, infinite Repeat, and Iterate) do not define hashCode() and use the parent ASeq.hashCode(), which walks the seq to compute the hash, yielding an infinite loop. Classes like java.util.HashMap call hashCode() on keys during deserialization of a serialized map.
The exploit requires:
- Crafting a serialized HashMap object with an infinite seq object as a key.
- Sending that to a program that reads serialized objects via ObjectInputStream.readObject().
This will cause the program to enter an infinite loop on the reading thread and thus a denial of service (DoS).
The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8.
Permalink: https://github.com/advisories/GHSA-vr64-r9qj-h27fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cjY0LXI5cWotaDI3Zs4AA5o_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 1 month ago
Identifiers: GHSA-vr64-r9qj-h27f, CVE-2024-22871
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-22871
- https://hackmd.io/%40fe1w0/rymmJGida
- https://clojure.atlassian.net/browse/CLJ-2839
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWWK2SO2MH4SXPO6L444MM6LHVLVFULV
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25FKUOYXQZGGJMFUM5HJABWMIX2TILRV
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFPGUDXMW6OXKIDGCOZFEAXO74VQIB2T
- https://github.com/advisories/GHSA-vr64-r9qj-h27f
Affected Packages
maven:org.clojure:clojure
Dependent packages: 439Dependent repositories: 5,297
Downloads:
Affected Version Ranges: >= 1.12.0-alpha1, < 1.12.0-alpha9, >= 1.7.0, < 1.11.2
Fixed in: 1.12.0-alpha9, 1.11.2
All affected versions: 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.12.0-alpha1, 1.12.0-alpha2, 1.12.0-alpha3, 1.12.0-alpha4, 1.12.0-alpha5, 1.12.0-alpha6, 1.12.0-alpha7, 1.12.0-alpha8
All unaffected versions: 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.11.2, 1.11.3