Can you explain this vulnerability to me?

This vulnerability exists in the jq command-line JSON processor, specifically in the jv_parse_sized() API of libjq before a certain patch. The function accepts a buffer with an explicit length, but when handling errors, it incorrectly formats the input buffer using a method that reads until a NUL terminator instead of respecting the provided length. If the input buffer is malformed JSON and not NUL-terminated, this causes an out-of-bounds read past the buffer's end.

This flaw can be triggered by any consumer of libjq calling jv_parse_sized() with untrusted input, potentially leading to memory disclosure or process termination depending on the memory layout.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can lead to an out-of-bounds memory read when processing malformed JSON input, which may result in memory disclosure or cause the process to terminate unexpectedly.

This means that an attacker could potentially access sensitive information from memory or cause denial of service by crashing the application using libjq.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f. Immediate mitigation involves updating jq to a version that includes this patch.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in libjq's jv_parse_sized() function can lead to memory disclosure or process termination when parsing malformed JSON from untrusted input. Memory disclosure vulnerabilities may expose sensitive data held in memory, which could potentially include personal or protected information.

Such exposure risks could impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive data against unauthorized access or leaks.

However, the vulnerability specifically affects libjq consumers that use the jv_parse_sized() API with untrusted, non-NUL-terminated buffers, and internal jq uses are not affected. The practical attack surface is limited to external API consumers.

Therefore, organizations using libjq in contexts where untrusted JSON input is parsed should consider this vulnerability in their risk assessments and remediation plans to maintain compliance with relevant standards.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability occurs in the libjq function jv_parse_sized() when it processes malformed JSON in a non-NUL-terminated buffer, causing an out-of-bounds read. Detection involves identifying usage of libjq's jv_parse_sized() API with untrusted input that may trigger this condition.

Since the vulnerability is triggered by passing malformed JSON buffers without a terminating NUL byte, one way to detect it is to test the parsing of such inputs using jq or any software that uses libjq's jv_parse_sized() function.

A practical approach is to run a test command that attempts to parse a deliberately malformed JSON input that is not NUL-terminated and observe if the process crashes or leaks memory.

• Use a custom test program or script that calls jv_parse_sized() with a non-NUL-terminated malformed JSON buffer, for example a single character '{' without a terminating NUL byte.
• Monitor logs or process behavior for crashes or memory disclosure when parsing such inputs.

No specific jq command-line commands are provided in the resources because the vulnerability affects the libjq API rather than the jq CLI directly. Detection requires testing the vulnerable API usage in the consuming application.

Useful 0 Not Useful 0