Preface: Ensure that the JSON parser does not try to write a potentially unlimited number of elements into a C array of a fixed size.

Background: Zephyr is a small real-time operating system (RTOS) for connected, resource-constrained and embedded devices (with an emphasis on microcontrollers) supporting multiple architectures and released under the Apache License 2.0. Zephyr includes a kernel, and all components and libraries, device drivers, protocol stacks, file systems, and firmware updates, needed to develop full application software. Furthermore the footprint as small as 8K.

Vulnerability details: Till now, the CVSS score not been defined yet. According to 4 different vulnerabilities registered this month. There are two different vulnerabilities related to BLE. Besides, a vulnerability related to Zigbee. The remaining one is related to JSON decoder. The flaw of JSON decoder display as below: When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. “arr_parse” then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there. For the details of this vulnerability, please refer to link – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4

The following list shows other CVE details:

BLE:

CVE-2021-3436 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63

CVE-2021-3581 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5

Zigbee:

CVE-2021-3319 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364