7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-21634

GHSA ID

GHSA-264p-99wq-f4j6

EPSS Score

0.55345%

CWE

CWE-770

Published

1/3/2024

Updated

4/12/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-21634

CVE-2024-21634: Ion Java StackOverflow vulnerability

Impact

A potential denial-of-service issue exists in ion-java for applications that use ion-java to:

Deserialize Ion text encoded data, or
Deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation.

An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library.

Impacted versions: <1.10.5

Patches

The patch is included in ion-java >= 1.10.5.

Workarounds

Do not load data which originated from an untrusted source or that could have been tampered with. Only load data you trust.

If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] https://aws.amazon.com/security/vulnerability-reporting

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-21634

CVE-2024-21634:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-21634

GHSA ID

GHSA-264p-99wq-f4j6

EPSS Score

0.55345%

CWE

CWE-770

Published

1/3/2024

Updated

4/12/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.amazon.ion:ion-java	maven	< 1.10.5	1.10.5
software.amazon.ion:ion-java	maven	< 1.10.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a StackOverflowError (Denial of Service) in ion-java when deserializing crafted Ion data and then invoking certain IonValue methods. The NVD entry CVE-2024-21634 lists CWE-674 (Uncontrolled Recursion) and CWE-770.

Two primary commits between the vulnerable version range (<1.10.5) and the patched version (1.10.5) address issues in IonValue processing that could lead to uncontrolled recursion:

Commit 0a4b60efc77d9913b1c1ec5d5ce8c7f3ae0355cc fixes a bug in com.amazon.ion.impl.lite.IonValueLite.hashTypeAnnotations. This method is a component of com.amazon.ion.impl.lite.IonValueLite.hashCode(). The hashCode() method is recursive for Ion container types. A flaw in hashTypeAnnotations could contribute to the hashCode() recursion becoming uncontrolled on crafted data, leading to a StackOverflow. Thus, com.amazon.ion.impl.lite.IonValueLite.hashCode() is identified as a vulnerable function.
Commit 250258a2cd3f1ba39f9f51bff411edebfa2a42d5 changes the behavior of com.amazon.ion.impl.lite.IonValueLite.toString(). It modifies the default writer used by toString() to allow invalid Symbol IDs (SIDs). The toString() method relies on the recursive writeTo(IonWriter) method. Previously, encountering certain invalid SID configurations during the writeTo process (as called by toString) could trigger uncontrolled recursion. The patch mitigates this by making the writer more lenient. Thus, com.amazon.ion.impl.lite.IonValueLite.toString() is identified as another vulnerable function.

Both hashCode() and toString() are common IonValue methods that would be invoked after deserialization, fitting the vulnerability description. The patches address underlying issues that could cause these recursive methods to exhaust the stack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-21634: Ion Java StackOverflow vulnerability

Impact

Patches

Workarounds

CVE-2024-21634:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-21634: Ion Java StackOverflow vulnerability

Impact

Patches

Workarounds

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI