`IllegalArgumentException` in `IonParser.getEmbeddedObject()`

[ZanderHuang]

Description

This vulnerability is of Uncaught Exception for java.lang.IllegalArgumentException in com.fasterxml.jackson.dataformat, jackson-dataformat-ion (2.13.0, the latest version) with com.amazon.ion, ion-java (1.8.3, the latest version). Specifically, it fails to check the runtime exception java.lang.IllegalArgumentException in function com.fasterxml.jackson.dataformat.ion.IonParser.getEmbeddedObject() ( IonParser.java: 434 ).
The attackers can launch DoS (Denial of Service) attacks to any program that directly uses this library (CWE-2248: Uncaught exception).

The vulnerable code:

        // the _reader.timestampValue() can throw java.lang.IllegalArgumentException
        case TIMESTAMP:
                return _reader.timestampValue();

The crash stack:

at com.amazon.ion.Timestamp.checkAndCastDay(Timestamp.java:2821)
at com.amazon.ion.Timestamp.<init>(Timestamp.java:599)
at com.amazon.ion.Timestamp.valueOf(Timestamp.java:1112)
at com.amazon.ion.impl.IonReaderTextSystemX.load_scalar_value(IonReaderTextSystemX.java:289)
at com.amazon.ion.impl.IonReaderTextSystemX.load_once(IonReaderTextSystemX.java:90)
at com.amazon.ion.impl.IonReaderTextSystemX.load_or_cast_cached_value(IonReaderTextSystemX.java:110)
at com.amazon.ion.impl.IonReaderTextSystemX.timestampValue(IonReaderTextSystemX.java:587)
at com.fasterxml.jackson.dataformat.ion.IonParser.getEmbeddedObject(IonParser.java:434)
at com.fasterxml.jackson.databind.deser.std.BaseNodeDeserializer._fromEmbedded(JsonNodeDeserializer.java:672)
at com.fasterxml.jackson.databind.deser.std.BaseNodeDeserializer._deserializeRareScalar(JsonNodeDeserializer.java:594)
at com.fasterxml.jackson.databind.deser.std.BaseNodeDeserializer._deserializeContainerNoRecursion(JsonNodeDeserializer.java:542)
at com.fasterxml.jackson.databind.deser.std.JsonNodeDeserializer.deserialize(JsonNodeDeserializer.java:88)
at com.fasterxml.jackson.databind.deser.std.JsonNodeDeserializer.deserialize(JsonNodeDeserializer.java:20)
at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:322)
at com.fasterxml.jackson.databind.ObjectMapper._readTreeAndClose(ObjectMapper.java:4717)
at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:3090)
at com.test.Entry.main(Entry.java:51)

Proof of Concept

• download the program that uses jackson and built it

cd bug_reproduce_program_jackson_ion
bash build.sh

• use one of the poc to trigger the crash (the crash-xxx file inside the poc shared link)

java -jar built-target-program.jar pocfile

Fix suggestion

Wrap this kind of exception as a type of exception the library provided, e.g. IonException. Maybe the fix should not only in jackson but also in its dependent ion-java package.

Impact

The attackers can launch DoS (Denial of Service) attacks to any program that directly uses this library (CWE-2248: Uncaught exception).

[cowtowncoder]

Thank you for reporting this issue: sounds like sub-optimal handling.

I am not sure I see DoS aspect itself as exceptions are the mechanism to use for many kinds of invalid data, but in this case handling should produce package-specified exception, not accidental NPE.