Medium - CVE-2024-23082 - org.threeten:threetenbp@1.7.0|1.7.1 - Security

[lxf136]

Summary
The threetenbp package contains a Denial of Service (DoS) vulnerability caused by an Integer Overflow or Wraparound. The parse() function in the DateTimeFormatter class fails to validate that the user-supplied parameter text is not empty. A remote attacker can exploit this vulnerability by providing an empty string, causing the index of the parameter position to be 10 and leading to an IndexOutOfBoundsException which, eventually, could result in a Denial of Service condition.

Component Name: org.threeten:threetenbp
Component Version: 1.7.0 or 1.7.1
Repository: maven

Instance ID: 49C657855D53D38029140B1C98E9880B
Primary Rule ID: CVE-2024-23082

CVSS Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
File Locations
fortifyUpload/subModuleDependencies/threetenbp-1.7.0.jar
Standards and Best Practices
OWASP 2021
A06:2021 – Vulnerable and Outdated Components
PCI 4.0
6.3.3 – All system components are protected from known vulnerabilities by installing applicable security patches/updates

---

Explanation
The threetenbp package contains a Denial of Service (DoS) vulnerability caused by an Integer Overflow or Wraparound. The parse() function in the DateTimeFormatter class fails to validate that the user-supplied parameter text is not empty. A remote attacker can exploit this vulnerability by providing an empty string, causing the index of the parameter position to be 10 and leading to an IndexOutOfBoundsException which, eventually, could result in a Denial of Service condition.

Detection
The application is vulnerable by using this component.

Recommendation
There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative components or a potential mitigating control.

Next Non-Vulnerable Version
There are no component versions available with zero published vulnerabilities.

Greatest Non-Vulnerable Version
There are no component versions available with zero published vulnerabilities.

Links
https://gist.github.com/LLM4IG/d2618f5f4e5ac37eb75cff5617e58b90

[lxf136]

Maven 3 and JDK 21.

<dependency>
            <groupId>com.google.cloud</groupId>
            <artifactId>google-cloud-pubsub</artifactId>
            <version>${google-cloud-pubsub.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>org.threeten</groupId>
                    <artifactId>threetenbp</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>com.google.cloud</groupId>
            <artifactId>google-cloud-storage</artifactId>
            <version>${google-cloud-storage.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>org.threeten</groupId>
                    <artifactId>threetenbp</artifactId>
                </exclusion>
            </exclusions>
</dependency>

but when removing the lib, even using jdk 21, or any one +jdk8, a class not found and error occurs.

#2424

[rxc628]

+1

[qa-equifax]

+1

[michaelpri10]

This CVE has been officially disputed by ThreeTen, stating: "Users of ThreeTen-Backport do not need to take any action as the CVE is invalid."

However, as mentioned in #2424, we are planning to deprecate this client library's use of the threetenbp package soon and recommend that users utilize the methods introduced in #2271 that use java.time. I will close this ticket and plan to track the deprecation and removal of threetenbp at #2424.