Fasterxml Jackson version Before 2.9.8 contains an Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in a denial-of-service (DoS) when the victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value.
Created jackson-databind tracking bugs for this issue:
Affects: fedora-all [bug 1665603]
Created jackson-datatype-jsr310 tracking bugs for this issue:
Affects: fedora-all [bug 1667118]
rhvm-appliance includes the affected package eap7-jackson-datatype-jsr310, as a dependency of eap7-wildfly, used by ovirt-engine. However, the deserialization classes affected by this flaw are not used by Wildfly or oVirt, and thus cannot be exposed to untrusted input. A future update will address this vulnerability.
This vulnerability is out of security support scope for the following product:
* Red Hat Mobile Application Platform
Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details
RHSSO 7.3.3 ships jackson-datatype-jsr310-2.9.8.redhat-00004.jar which is already fixed version hence marking it Not affected:
This vulnerability is out of security support scope for the following products:
* Red Hat JBoss Data Virtualization & Services 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products:
Red Hat Fuse 7.8.0
Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):