CVE-2023-5072
📋 TL;DR
CVE-2023-5072 is a denial-of-service vulnerability in JSON-Java library where specially crafted JSON input causes excessive memory consumption, potentially crashing applications. This affects any application using vulnerable JSON-Java versions to parse untrusted JSON data. The vulnerability requires no authentication and can be triggered remotely.
💻 Affected Systems
- JSON-Java (org.json:json)
📦 What is this software?
Json Java by Stleary
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash and service unavailability due to memory exhaustion, potentially affecting multiple services if shared infrastructure is impacted.
Likely Case
Application instability, degraded performance, or service crashes when processing malicious JSON payloads from untrusted sources.
If Mitigated
Limited impact with proper input validation, memory limits, and isolation of JSON parsing components.
🎯 Exploit Status
Exploitation requires sending specially crafted JSON payloads to vulnerable endpoints. The vulnerability is well-documented with public proof-of-concept examples available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20231013 and later
Vendor Advisory: https://github.com/stleary/JSON-java/security/advisories/GHSA-8v9q-7r4c-4c5h
Restart Required: Yes
Instructions:
1. Update JSON-Java dependency to version 20231013 or later. 2. For Maven: Update pom.xml to <version>20231013</version>. 3. For Gradle: Update build.gradle to implementation 'org.json:json:20231013'. 4. Restart affected applications.
🔧 Temporary Workarounds
Input Validation and Size Limits
allImplement strict input validation and size limits on JSON payloads before parsing
Configure web server/application to reject JSON payloads exceeding reasonable size limits
Memory Limit Configuration
allConfigure JVM memory limits and monitoring to detect and prevent memory exhaustion
java -Xmx512m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/path/to/dumps
🧯 If You Can't Patch
- Implement WAF rules to block suspicious JSON payloads and monitor for memory exhaustion patterns
- Isolate JSON parsing to dedicated containers with strict resource limits and automatic restart policies
🔍 How to Verify
Check if Vulnerable:
Check project dependencies for JSON-Java version 20230618 or earlier. For Maven: mvn dependency:tree | grep json. For Gradle: gradle dependencies | grep json.Check Version:
java -cp json-*.jar org.json.JSONObject --version or check build configuration filesVerify Fix Applied:
Verify JSON-Java version is 20231013 or later. Test with known malicious JSON payloads to ensure no memory exhaustion occurs.📡 Detection & Monitoring
Log Indicators:
- OutOfMemoryError exceptions
- High memory usage spikes during JSON parsing
- Application crashes or restarts after JSON processing
Network Indicators:
- Large or malformed JSON payloads to JSON endpoints
- Repeated JSON requests causing performance degradation
SIEM Query:
source="application.logs" AND ("OutOfMemoryError" OR "java.lang.OutOfMemoryError") AND "JSON"🔗 References
- http://www.openwall.com/lists/oss-security/2023/12/13/4
- https://github.com/stleary/JSON-java/issues/758
- https://github.com/stleary/JSON-java/issues/771
- https://security.netapp.com/advisory/ntap-20240621-0007/
- http://www.openwall.com/lists/oss-security/2023/12/13/4
- https://github.com/stleary/JSON-java/issues/758
- https://github.com/stleary/JSON-java/issues/771
- https://security.netapp.com/advisory/ntap-20240621-0007/
