Bug 1665601 (CVE-2018-1000873) - CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation
Summary: CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation
Alias: CVE-2018-1000873
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1665603 1667118
Blocks: 1665604
TreeView+ depends on / blocked
Reported: 2019-01-11 22:07 UTC by Laura Pardo
Modified: 2020-12-16 16:18 UTC (History)
84 users (show)

Fixed In Version: jackson-modules-java8 2.9.8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-12-16 16:18:15 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5568 0 None None None 2020-12-16 12:11:38 UTC

Description Laura Pardo 2019-01-11 22:07:14 UTC
Fasterxml Jackson version Before 2.9.8 contains an Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in a denial-of-service (DoS) when the victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. 


Upstream Patch:

Comment 1 Laura Pardo 2019-01-11 22:08:43 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1665603]

Comment 3 Richard Maciel Costa 2019-01-17 14:00:50 UTC
Created jackson-datatype-jsr310 tracking bugs for this issue:

Affects: fedora-all [bug 1667118]

Comment 6 Doran Moppert 2019-03-05 06:01:57 UTC
rhvm-appliance includes the affected package eap7-jackson-datatype-jsr310, as a dependency of eap7-wildfly, used by ovirt-engine.  However, the deserialization classes affected by this flaw are not used by Wildfly or oVirt, and thus cannot be exposed to untrusted input.  A future update will address this vulnerability.

Comment 8 Jason Shepherd 2019-08-08 06:03:24 UTC
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 10 Paramvir jindal 2019-10-30 10:42:04 UTC
RHSSO 7.3.3 ships jackson-datatype-jsr310-2.9.8.redhat-00004.jar which is already fixed version hence marking it Not affected:


Comment 11 Paramvir jindal 2019-10-30 10:48:50 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 14 errata-xmlrpc 2020-12-16 12:12:02 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568

Comment 15 Product Security DevOps Team 2020-12-16 16:18:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.