Impact
The used 3rd-party Library aeson stores JSON objects as hash maps (from unordered-container) that have collision problems. This allows an attacker to craft an object that causes the server to spend quadratic time parsing it, resulting in a denial of service.
Patches
- The issue has been fixed in wire-server 2022-03-01 and is already deployed on all Wire managed services.
- On premise instances of wire-server need to be updated to 2022-03-01, so that their backends are no longer affected.
Workarounds
References
For more information
If you have any questions or comments about this advisory feel free to email us at vulnerability-report@wire.com
Impact
The used 3rd-party Library aeson stores JSON objects as hash maps (from unordered-container) that have collision problems. This allows an attacker to craft an object that causes the server to spend quadratic time parsing it, resulting in a denial of service.
Patches
Workarounds
References
For more information
If you have any questions or comments about this advisory feel free to email us at vulnerability-report@wire.com