Bug 1665601 (CVE-2018-1000873) - CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation
Summary: CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation
Status: NEW
Alias: CVE-2018-1000873
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20181024,repor...
Depends On: 1665603 1667118
Blocks: 1665604
TreeView+ depends on / blocked
Reported: 2019-01-11 22:07 UTC by Laura Pardo
Modified: 2019-08-30 11:56 UTC (History)
92 users (show)

Fixed In Version: jackson-modules-java8 2.9.8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Laura Pardo 2019-01-11 22:07:14 UTC
Fasterxml Jackson version Before 2.9.8 contains an Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in a denial-of-service (DoS) when the victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. 


Upstream Patch:

Comment 1 Laura Pardo 2019-01-11 22:08:43 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1665603]

Comment 3 Richard Maciel Costa 2019-01-17 14:00:50 UTC
Created jackson-datatype-jsr310 tracking bugs for this issue:

Affects: fedora-all [bug 1667118]

Comment 6 Doran Moppert 2019-03-05 06:01:57 UTC
rhvm-appliance includes the affected package eap7-jackson-datatype-jsr310, as a dependency of eap7-wildfly, used by ovirt-engine.  However, the deserialization classes affected by this flaw are not used by Wildfly or oVirt, and thus cannot be exposed to untrusted input.  A future update will address this vulnerability.

Comment 8 Jason Shepherd 2019-08-08 06:03:24 UTC
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Note You need to log in before you can comment on or make changes to this bug.