CVE-2024-31744
📋 TL;DR
This vulnerability in Jasper 4.2.2 allows attackers to cause a denial of service (DoS) by triggering an assertion failure in the jpc_streamlist_remove function when processing a specially crafted image file. The vulnerability affects systems using Jasper for JPEG 2000 image processing, potentially impacting applications that handle untrusted image uploads.
💻 Affected Systems
- Jasper JPEG 2000 library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through application crash, potentially affecting availability of image processing services or applications that rely on Jasper library.
Likely Case
Denial of service through application crash when processing malicious image files, requiring service restart.
If Mitigated
Minimal impact if proper input validation and sandboxing are implemented, with crashes contained to isolated processes.
🎯 Exploit Status
Exploitation is straightforward - simply providing a malicious JPEG 2000 image file to the vulnerable function triggers the crash.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 6d084c53a77762f41bb5310713a5f1872fef55f5 and later versions
Vendor Advisory: https://github.com/jasper-software/jasper/commit/6d084c53a77762f41bb5310713a5f1872fef55f5
Restart Required: Yes
Instructions:
1. Update Jasper to version containing commit 6d084c53a77762f41bb5310713a5f1872fef55f5 or later. 2. Rebuild any applications using Jasper library. 3. Restart affected services.
🔧 Temporary Workarounds
Input validation and filtering
allImplement strict validation of JPEG 2000 image files before processing with Jasper library
Process isolation
allRun Jasper image processing in isolated containers or processes to contain crashes
🧯 If You Can't Patch
- Implement strict file type validation to reject untrusted JPEG 2000 images
- Deploy application monitoring to detect and restart crashed Jasper processes
🔍 How to Verify
Check if Vulnerable:
Check Jasper version: `jasper --version` should show if version is 4.2.2 or earlier with vulnerable codeCheck Version:
jasper --versionVerify Fix Applied:
Verify Jasper version includes commit 6d084c53a77762f41bb5310713a5f1872fef55f5 or test with known malicious JPEG 2000 image📡 Detection & Monitoring
Log Indicators:
- Application crashes with assertion failures in jpc_dec.c
- Segmentation faults in Jasper processes
- Unexpected process terminations during image processing
Network Indicators:
- Multiple failed image upload attempts
- Unusual JPEG 2000 file uploads to image processing endpoints
SIEM Query:
process_name:"jasper" AND (event_type:"crash" OR exit_code:139 OR signal:SIGABRT)