Bug 2242521 (CVE-2023-39410)
Summary: | CVE-2023-39410 apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aileenc, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dkreling, dosoudil, drichtar, eric.wittmann, fjuma, fmariani, fmongiar, gmalinko, gsmet, ivassile, iweiss, janstey, jcantril, jcechace, jmartisk, jnethert, jolee, jpechane, jpoth, jschatte, jscholz, jstastny, lgao, lthon, max.andersen, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, pantinor, pcongius, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, pskopek, rowaters, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | apache-avro 1.11.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2242520 |
Description
Patrick Del Bello
2023-10-06 17:32:54 UTC
This issue has been addressed in the following products: Red Hat Fuse 7.12.1 Via RHSA-2023:7247 https://access.redhat.com/errata/RHSA-2023:7247 This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.9 Via RHSA-2023:7612 https://access.redhat.com/errata/RHSA-2023:7612 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2023:7617 https://access.redhat.com/errata/RHSA-2023:7617 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:7639 https://access.redhat.com/errata/RHSA-2023:7639 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:7637 https://access.redhat.com/errata/RHSA-2023:7637 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:7638 https://access.redhat.com/errata/RHSA-2023:7638 This issue has been addressed in the following products: EAP 7.4.14 Via RHSA-2023:7641 https://access.redhat.com/errata/RHSA-2023:7641 This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.9 Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2023:7705 https://access.redhat.com/errata/RHSA-2023:7705 This issue has been addressed in the following products: Red Hat Fuse 7.13.0 Via RHSA-2024:3354 https://access.redhat.com/errata/RHSA-2024:3354 |