Patching cJSON Vulnerabilities in Ubuntu
cJSON is a widely-used, ultralightweight JSON parser written in ANSI C. It provides a simple and efficient way to parse and generate JSON data in C programs. Due to its extensive use in various applications, any vulnerabilities in cJSON can have significant implications for software security. Several security issues have been identified in cJSON, particularly affecting versions used in Ubuntu releases. This article provides the details of these vulnerabilities and the updates provided by the Ubuntu security team to mitigate these risks.
Overview of cJSON Vulnerabilities
Multiple vulnerabilities were discovered in cJSON, which could be exploited to crash the application if it received specially crafted input. Such crashes can lead to denial of service (DoS) attacks, potentially disrupting services and systems relying on cJSON for JSON parsing. Here are the specific vulnerabilities identified and addressed:
CVE-2023-50471
This vulnerability affects cJSON version 1.7.16. It involves a segmentation violation in the function cJSON_InsertItemInArray
located in cJSON.c. An attacker can exploit this issue to cause cJSON to crash, leading to a denial of service. This vulnerability impacts Ubuntu 22.04 LTS and Ubuntu 23.10.
CVE-2023-50472
Similar to CVE-2023-50471, this vulnerability also affects cJSON version 1.7.16. It involves a segmentation violation in the function cJSON_SetValuestring
found in cJSON.c. Exploiting this issue can cause cJSON to crash, resulting in a denial of service. This vulnerability impacts Ubuntu 22.04 LTS and Ubuntu 23.10.
CVE-2024-31755
This vulnerability affects cJSON version 1.7.17. It is characterized by a segmentation violation that can be triggered via the second parameter of the function cJSON_SetValuestring
in cJSON.c. An attacker can leverage this issue to crash cJSON, leading to a denial of service. This vulnerability impacts Ubuntu 24.04 LTS, Ubuntu 23.10, and Ubuntu 22.04 LTS.
Importance of Applying Updates
These vulnerabilities are classified as High Severity with a CVSS v3 score of 7.5. This score underscores the importance of timely updates to mitigate potential risks associated with these vulnerabilities. Fortunately, the Ubuntu security team has responded promptly to these vulnerabilities by releasing updates for affected Ubuntu versions. To safeguard your systems, it is crucial to update the cJSON package to the latest available version.
Conclusion
cJSON vulnerabilities pose significant risks, especially given its widespread use in various applications. The identified issues highlight the potential for denial-of-service attacks through specially crafted input. Users should immediately update their cJSON packages to ensure their systems remain secure. Many Linux distributions, like Ubuntu, publish security advisories that address known vulnerabilities. So, always keep an eye on the security advisories and maintain up-to-date software to mitigate potential threats.
TuxCare’s Extended Lifecycle Support (ELS) provides automated security patching for end-of-life Ubuntu systems, including Ubuntu 16.04 and Ubuntu 18.04. It ensures your Ubuntu 16.04 and Ubuntu 18.04 systems continue receiving security updates even though the official support has ended. TuxCare’s ELS enables five additional years of vendor-grade security patches after the EOL date to protect your workloads from emerging vulnerabilities.
Learn more about Ubuntu 18.04 End of Life Extended Lifecycle Support.
Source: USN-6784-1