Bug 2274516 (CVE-2024-23080)

Summary: CVE-2024-23080 joda-time: Null pointer exeption may lead to DoS
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adupliak, aileenc, apjagtap, asatyam, asoldano, ataylor, bbaranow, bbuckingham, bcourt, bmaxwell, boliveir, brian.stansberry, caswilli, ccranfor, cdewolf, chazlett, chfoley, cmiranda, darran.lofthouse, dfreiber, dhanak, diagrawa, dkreling, dosoudil, dpalmer, drichtar, drow, dsimansk, ecerquei, ehelms, eric.wittmann, fjansen, fjuma, fmariani, fmongiar, gmalinko, hhorak, ibek, ivassile, iweiss, janstey, jburrell, jcantril, jcechace, jnethert, jorton, jpechane, jpoth, jrokos, jross, jscholz, jsherril, kaycoth, kholdawa, kingland, kverlaen, lgao, lzap, matzew, mhulan, mizdebsk, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nmoumoul, nwallace, orabin, pantinor, pcongius, pcreech, pdelbell, pdrozd, peholase, periklis, pierdipi, pjindal, pmackay, porcelli, pskopek, rchan, rguimara, rhuss, rjohnson, rkieley, rowaters, rstancel, sabiswas, saroy, sidakwo, skontopo, smaestri, spandura, sthorger, sveres, swoodman, tcunning, tom.jenkinson, vkumar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-04-16 18:17:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2274518, 2274522, 2274523, 2274524, 2274526    
Bug Blocks: 2274519    

Description Marco Benatto 2024-04-11 13:01:08 UTC 
Joda Time v2.12.5 was discovered to contain a NullPointerException via the component org.joda.time.format.PeriodFormat::wordBased(Locale).

http://joda.com
https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f
https://github.com/JodaOrg/joda-time
Comment 1 Marco Benatto 2024-04-11 13:03:31 UTC 
Created picocli tracking bugs for this issue:

Affects: fedora-all [bug 2274518]
Comment 4 Borja Tarraso 2024-04-16 18:17:12 UTC 
This issue was raised by an AI-driven bot. The CVE describes that a NullPointerException is thrown when null is passed into a method. This is perfectly normal and not a security issue or CVE.

Users of Joda-Time do not need to take any action as the CVE is invalid. This has been confirmed by the Joda-Time Security team at https://www.joda.org/joda-time//security.html.