A vulnerability related to parsing was found in Apache PDFBox parser. A carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree. External References: https://lists.apache.org/thread.html/a9760973a873522f4d4c0a99916ceb74f361d91006b663a0a418d34a@%3Cannounce.apache.org%3E
Created pdfbox tracking bugs for this issue: Affects: fedora-all [bug 1637494]
Regarding the Satellite 5 product: Reducing the severity to Low : PDFBox is only used to create PDF. No attack vector, where an attacker could send a crafted PDF for parsing, have been found.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss BPM Suite 6 * Red Hat JBoss BRMS 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-11797