CVE-2022-40149: 
Java vulnerability analysis and mitigation

Jettison, a collection of StAX parsers and writers for JSON, contains a vulnerability (CVE-2022-40149) that was discovered in September 2022. The vulnerability affects systems using Jettison to parse untrusted XML or JSON data. When the parser runs on user-supplied input, it becomes susceptible to Denial of Service (DoS) attacks through stack overflow conditions (NVD, MITRE).

The vulnerability has a CVSS v3.1 base score of 7.5 (High), with the following characteristics: Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Unchanged scope, No impact on confidentiality or integrity, but High impact on availability. The vulnerability vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Ubuntu).

When exploited, this vulnerability can lead to Denial of Service (DoS) attacks through stack overflow conditions. The primary impact is on system availability, with no direct effect on confidentiality or integrity. The vulnerability can cause the parser to crash when processing maliciously crafted input (MITRE, NVD).

Multiple vendors have released security updates to address this vulnerability. Red Hat has included fixes in JBoss Enterprise Application Platform 7.4.9. Debian has released version 1.4.0-1+deb10u1 for Debian 10 (Buster) and version 1.5.3-1~deb11u1 for the stable distribution (Bullseye). Ubuntu has also provided fixes across multiple versions, including version 1.4.1-1ubuntu0.22.04.1 for Ubuntu 22.04 LTS (Red Hat, Debian).