Bug 2298829 (CVE-2024-41172)

Summary: CVE-2024-41172 apache: cxf: org.apache.cxf:cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anstephe, arnavarr, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, ecerquei, fjuma, fmariani, fmongiar, gmalinko, gsmet, hamadhan, ibek, istudens, ivassile, iweiss, janstey, jkoops, jmartisk, jnethert, jpoth, jrokos, kverlaen, lgao, lthon, manderse, mnovotny, mosmerov, msochure, msvehla, mulliken, nwallace, olubyans, pcongius, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdouglas, smaestri, sthorger, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A memory consumption flaw was found in Apache CXF. This issue may allow a CXF HTTP client conduit to prevent HTTPClient instances from being garbage collected, eventually causing the application to run out of memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-07-19 09:20:38 UTC 
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run  out of memory
Comment 1 errata-xmlrpc 2024-09-09 17:17:34 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.4.2 for Spring Boot

Via RHSA-2024:6508 https://access.redhat.com/errata/RHSA-2024:6508
Comment 2 errata-xmlrpc 2024-09-24 12:53:04 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel for Quarkus 2.13

Via RHSA-2024:7052 https://access.redhat.com/errata/RHSA-2024:7052
Comment 3 errata-xmlrpc 2024-11-04 20:11:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2024:8824 https://access.redhat.com/errata/RHSA-2024:8824
Comment 4 errata-xmlrpc 2024-11-04 20:12:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:8823 https://access.redhat.com/errata/RHSA-2024:8823
Comment 5 errata-xmlrpc 2024-11-04 20:56:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:8826 https://access.redhat.com/errata/RHSA-2024:8826