Bug 2185707 (CVE-2021-46877)
| Summary: | CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abenaiss, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dfreiber, dhanak, dkreling, dosoudil, drichtar, eaguilar, ebaron, eglynn, ehelms, ellin, emingora, eric.wittmann, fjuma, fmongiar, gjospin, gsmet, gzaronik, hamadhan, hbraun, hhorak, ibek, ikanello, ivassile, iweiss, jburrell, jcantril, jjoyce, jkang, jmartisk, jnethert, jolee, jorton, jpallich, jpechane, jpoth, jrokos, jross, jschatte, jscholz, jsherril, jstastny, kverlaen, lbacciot, lgao, lhh, lpeer, lthon, lzap, max.andersen, mburns, mgarciac, mhulan, mizdebsk, mkolesni, mnovotny, mosmerov, msochure, msvehla, myarboro, nboldt, nmoumoul, nwallace, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, pskopek, rchan, rguimara, rhcs-maint, rjohnson, rkieley, rogbas, rowaters, rruss, rstancel, rsvoboda, sbiarozk, scohen, scorneli, sdouglas, sfroberg, shbose, smaestri, spower, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, vkumar, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jackson-databind 2.13.1, jackson-databind 2.12.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-18 15:41:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2135924, 2185708, 2185709, 2185711, 2187369 | ||
| Bug Blocks: | 2179731 | ||
|
Description
Sandipan Roy
2023-04-11 04:16:46 UTC
Created jackson-databind tracking bugs for this issue: Affects: fedora-36 [bug 2185709] Affects: fedora-37 [bug 2185711] This issue has been addressed in the following products: Red Hat AMQ Streams 2.4.0 Via RHSA-2023:3223 https://access.redhat.com/errata/RHSA-2023:3223 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-46877 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299 This issue has been addressed in the following products: Migration Toolkit for Runtimes 1 on RHEL 8 Via RHSA-2023:3373 https://access.redhat.com/errata/RHSA-2023:3373 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2023:3610 https://access.redhat.com/errata/RHSA-2023:3610 This issue has been addressed in the following products: RHINT Service Registry 2.4.3 GA Via RHSA-2023:3815 https://access.redhat.com/errata/RHSA-2023:3815 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2023:4509 https://access.redhat.com/errata/RHSA-2023:4509 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:4505 https://access.redhat.com/errata/RHSA-2023:4505 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:4506 https://access.redhat.com/errata/RHSA-2023:4506 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:4507 https://access.redhat.com/errata/RHSA-2023:4507 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627 This issue has been addressed in the following products: Red Hat support for Spring Boot 2.7.13 Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:4919 https://access.redhat.com/errata/RHSA-2023:4919 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:4918 https://access.redhat.com/errata/RHSA-2023:4918 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:4921 https://access.redhat.com/errata/RHSA-2023:4921 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:4920 https://access.redhat.com/errata/RHSA-2023:4920 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6.5 Via RHSA-2023:4924 https://access.redhat.com/errata/RHSA-2023:4924 This issue has been addressed in the following products: RHINT Camel-Springboot 3.18.3.2 Via RHSA-2023:5147 https://access.redhat.com/errata/RHSA-2023:5147 This issue has been addressed in the following products: Red Hat Satellite 6 puppetserver Via https://access.redhat.com/errata/RHSA-2023:2097 |