Bug 1199064 (CVE-2022-25647)

Summary: VUL-0: CVE-2022-25647: google-gson: Deserialization of Untrusted Data
Product: [Novell Products] SUSE Security Incidents Reporter: Hu <cathy.hu>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: fstrba, smash_bz, thomas.leroy
Version: unspecifiedFlags: thomas.leroy: needinfo? (fstrba)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/330419/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-25647:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Hu 2022-05-02 07:30:47 UTC 
CVE-2022-25647

The package com.google.code.gson:gson before 2.8.9 are vulnerable to
Deserialization of Untrusted Data via the writeReplace() method in internal
classes, which may lead to DoS attacks.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647
https://github.com/google/gson/pull/1991
https://github.com/google/gson/pull/1991/commits
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
Comment 1 Hu 2022-05-02 07:31:16 UTC 
Affected:
 - SUSE:SLE-15-SP2:Update/google-gson                             2.8.5
 - SUSE:SLE-15-SP2:Update:Products:Manager41:Update/google-gson   2.8.5

Not Affected:
 - openSUSE:Factory/google-gson                                   2.8.9
Comment 6 Swamp Workflow Management 2022-06-10 16:16:29 UTC 
SUSE-SU-2022:2044-1: An update that fixes one vulnerability, contains one feature is now available.

Category: security (important)
Bug References: 1199064
CVE References: CVE-2022-25647
JIRA References: SLE-24261
Sources used:
openSUSE Leap 15.4 (src):    google-gson-2.8.9-150200.3.6.3
openSUSE Leap 15.3 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Manager Server 4.1 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Manager Retail Branch Server 4.1 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Manager Proxy 4.1 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Server 15-SP2-BCL (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    google-gson-2.8.9-150200.3.6.3
SUSE Enterprise Storage 7 (src):    google-gson-2.8.9-150200.3.6.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Thomas Leroy 2022-08-11 08:58:03 UTC 
Hi Fridrich, could you also please submit to SUSE:SLE-15-SP2:Update:Products:Manager41:Update? :)
Comment 10 Swamp Workflow Management 2022-10-24 16:23:14 UTC 
SUSE-SU-2022:3706-1: An update that fixes one vulnerability, contains one feature is now available.

Category: security (moderate)
Bug References: 1199064
CVE References: CVE-2022-25647
JIRA References: SLE-24261
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    google-gson-2.8.9-150200.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.