Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Ubuntu 22.04 LTS USN-6629-1 Critical: UltraJSON DoS And Memory Issues

ubuntu
Calendar Grey February 14, 2024
Dist Ubuntu Esm H88
Ensure your Ubuntu installations are fully updated to mitigate various security vulnerabilities associated with UltraJSON that could impact Python's JSON processing and memory stability.
Several security issues were fixed in UltraJSON.

Summary

Several security issues were fixed in UltraJSON.

Software Description:

- ujson: ultra fast JSON encoder and decoder for Python 3

Details:

It was discovered that UltraJSON incorrectly handled certain input with

a large amount of indentation. An attacker could possibly use this issue

to crash the program, resulting in a denial of service. (CVE-2021-45958)

Jake Miller discovered that UltraJSON incorrectly decoded certain

characters. An attacker could possibly use this issue to cause key

confusion and overwrite values in dictionaries. (CVE-2022-31116)

It was discovered that UltraJSON incorrectly handled an error when

reallocating a buffer for string decoding. An attacker could possibly

use this issue to corrupt memory. (CVE-2022-31117)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS (Available with Ubuntu Pro):
   python3-ujson                   5.1.0-1ubuntu0.1~esm1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
   python-ujson                    1.35-2ubuntu0.1~esm1
   python3-ujson                   1.35-2ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
   python-ujson                    1.33-1ubuntu0.1~esm2
   python3-ujson                   1.33-1ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6629-1

CVE-2021-45958, CVE-2022-31116, CVE-2022-31117

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-6629-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here