Описание
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.
Отчет
In OpenShift Container Platform (OCP) the openshift4/ose-logging-elasticsearch6 container bundles the vulnerable version of apache-cxf, but OCP 4.6 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support, hence this component is marked as ooss. Starting in 4.7 this component is delivered as part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8 container) and is not affected by this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Not affected | ||
| Red Hat BPM Suite 6 | cxf-rt-rs-json-basic | Not affected | ||
| Red Hat Decision Manager 7 | cxf-rt-rs-json-basic | Not affected | ||
| Red Hat Integration Camel Quarkus 1 | cxf-rt-rs-json-basic | Affected | ||
| Red Hat JBoss Data Virtualization 6 | cxf-rt-rs-json-basic | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | cxf-rt-rs-json-basic | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | cxf-rt-rs-json-basic | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | cxf-rt-rs-json-basic | Not affected | ||
| Red Hat JBoss Fuse 6 | cxf-rt-rs-json-basic | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | cxf-rt-rs-json-basic | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.
7.5 High
CVSS3