CVE-2021-41119: 
Linux Ubuntu vulnerability analysis and mitigation

Wire-server, the system server for wire back-end services, was affected by a denial of service vulnerability (CVE-2021-41119) in releases prior to v2022-03-01. The vulnerability was discovered and disclosed on April 13, 2022. The issue allowed attackers to cause a denial of service attack via a crafted object causing a hash collision, which would cause the server to spend quadratic time parsing it (AttackerKB).

The vulnerability stems from a hash collision in the JSON parser where a specially crafted object could trigger quadratic processing time. When parsing the malicious input, the server would spend significantly more time processing it compared to regular inputs of the same size. The attack vector requires network access with no privileges or user interaction required (AttackerKB).

The vulnerability could lead to denial of service for heavily used servers, where a malicious request could keep the server busy for minutes while processing a relatively small payload. Tests demonstrated that a 5MB malicious JSON payload could keep a server occupied for over 2 minutes compared to 0.3 seconds for a regular payload of the same size (CS SYD).

The issue has been fixed in wire-server 2022-03-01 and was deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-03-01 to protect their backends. There are no known workarounds for this issue (AttackerKB).