CVE-2024-27307: Not only machine learning, other system should staying alert because zOS Connect Designer uses JSONata, an open source expression language that is used for querying and transforming JSON data. (7thMar 2024)

Preface: What is declarative machine learning? Declarative machine learning enables users to specify what they want, and let the software figure out how to do it. Declarative ML is similar to AutoML tools that also make default selections and automate part or all of the ML lifecycle.

Background: JSONata is a JSON query and transformation language that is inspired by the location path semantics of XPath 3.1. XPath 3.1 is an expression language that allows the processing of values conforming to the data model defined in [XQuery and XPath Data Model (XDM) 3.1].

The JSONata reference is implemented in JavaScript and ships via NPM. There are also implementations available in Rust, Go, Java, Python, and .NET, some of which use JavaScript interpreters to ensure compatibility.

Vulnerability details: JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.

Remedy: This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.

Official announcement: Please refer to the link for details https://nvd.nist.gov/vuln/detail/CVE-2024-27307

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.