DevTest 10.7.2 - JSON Vulnerability CVE-2023-5072
search cancel

DevTest 10.7.2 - JSON Vulnerability CVE-2023-5072

book

Article ID: 276475

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

We are on 10.7.2 with SP2. 3 Vulnerabilities were identified related to JSON and the recommended action is upgrading JSON.

a) S-3722: Allocation of Resources Without Limits or Throttling

b) S-3187: Denial of Service (DoS)

c) S-3594: Denial of Service (DoS)

File Name: json-20140107.jar (org.json:json:20140107)

path: ./lib/shared/json-20140107.jar

File Name: json-20151123.jar (org.json:json:20151123)

 

CVE: CVE-2023-5072

CVE Description: Denial of Service in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 

CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2023-5072

OWASP: https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/

CWE-770: https://cwe.mitre.org/data/definitions/770.html

High risk vulnerability: 7.5

Environment

DevTest 10.7.2

Resolution

Please follow the below steps to remediate the CVE-2023-5072 vulnerability in DevTest environments:

  1. Stop all the DevTest services except IAM and ED.
  2. Remove the following jars (if present) from <LISA_HOME>/lib/shared directory:
    1. json-20140107.jar
    2. json-20151123.jar
    3. json-20180130.jar
  3. Copy and place the attached "json-20231013.jar" in <LISA_HOME>/lib/shared directory.
  4. Restart the DevTest services.

Note: we recommend applying the fix in the Workstations too by following the above steps.

Attachments

json-20231013.jar get_app
Powered by Wolken Software