1687364 – (CVE-2018-11793) CVE-2018-11793 mesos: stack overflow vulnerability in parser

Bug 1687364 (CVE-2018-11793) - CVE-2018-11793 mesos: stack overflow vulnerability in parser

Summary: CVE-2018-11793 mesos: stack overflow vulnerability in parser

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-11793
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1687365
Blocks:	1687367
TreeView+	depends on / blocked

Reported:	2019-03-11 11:35 UTC by Dhananjay Arunesh
Modified:	2020-12-15 15:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:	Apache Mesos 1.4.3, Apache Mesos 1.5.2, Apache Mesos 1.6.2, Apache Mesos 1.7.1, Apache Mesos 1.8.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:50:15 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-03-11 11:35:55 UTC

When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.

Upstream Issue:
https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E

Comment 1 Dhananjay Arunesh 2019-03-11 11:36:06 UTC

Created mesos tracking bugs for this issue:

Affects: fedora-all [bug 1687365]

Comment 3 Joshua Padman 2019-05-16 11:36:08 UTC

JBoss Fuse 7 does not contain Mesos and is not affected by this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.