What is CVE-2024-21634?

CVE-2024-21634 is a high-severity vulnerability in Amazon Ion's Java implementation in versions prior to 1.10.5. This vulnerability can lead to a denial-of-service issue when deserializing Ion text encoded data or deserializing Ion text or binary encoded data into the IonValue model. An attacker could exploit this by crafting Ion data that causes a StackOverflowError in the ion-java library. Systems using ion-java versions less than 1.10.5 for these tasks are at risk.

Who is impacted by CVE-2024-21634?

CVE-2024-21634 affects users of the Amazon Ion Java implementation in versions prior to 1.10.5. Those who use the ion-java library to deserialize Ion text encoded data or deserialize Ion text or binary encoded data into the IonValue model are at risk. This vulnerability can lead to a denial-of-service problem, causing disruptions in affected applications.

What to do if CVE-2024-21634 affected you

If you're affected by the CVE-2024-21634 vulnerability, it's important to take action to protect your system. Follow these simple steps:

1. Update to ion-java version 1.10.5 or later.

2. Only load data from trusted sources and avoid data that could have been tampered with.

By taking these precautions, you can help prevent potential denial-of-service issues and keep your system secure.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2024-21634 vulnerability, a denial-of-service issue in Amazon Ion's Java implementation, is not listed in CISA's Known Exploited Vulnerabilities Catalog.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-770, which involves allocation of resources without limits or throttling, potentially causing a denial-of-service issue.

Learn More

To learn more about its technical details, severity, and affected software configurations, visit the NVD page or refer to the sources below.

• Ion Java StackOverflow vulnerability · Advisory · amazon-ion/ion-java · GitHub