CVE-2024-21634: 
Java vulnerability analysis and mitigation

A potential denial-of-service vulnerability (CVE-2024-21634) was discovered in ion-java, Amazon's Java implementation of the Ion data notation. The vulnerability affects versions prior to 1.10.5 and was disclosed on January 3, 2024. The issue impacts applications that use ion-java to deserialize Ion text encoded data or process Ion text/binary encoded data using the IonValue model (GitHub Advisory).

The vulnerability occurs when applications process Ion data using specific IonValue methods on in-memory representations. When maliciously crafted Ion data is loaded by the affected application or processed using the IonValue model, it can trigger a StackOverflowError originating from the ion-java library. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The primary impact of this vulnerability is the potential for denial-of-service attacks. When successfully exploited, it can cause the application to experience a StackOverflowError, potentially leaving the system in an unreliable state. The vulnerability specifically affects the availability of the system while having no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in ion-java version 1.10.5 and later. As a workaround, users are advised not to load data that originated from untrusted sources or that could have been tampered with. Organizations should only process data from trusted sources. For immediate mitigation without upgrading, implementing strict input validation and limiting the processing of Ion data to trusted sources is recommended (GitHub Advisory).