Fasterxml Jackson version Before 2.9.8 contains an Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in a denial-of-service (DoS) when the victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. References: https://github.com/FasterXML/jackson-modules-java8/issues/90 Upstream Patch: https://github.com/FasterXML/jackson-modules-java8/pull/87
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1665603]
Created jackson-datatype-jsr310 tracking bugs for this issue: Affects: fedora-all [bug 1667118]
rhvm-appliance includes the affected package eap7-jackson-datatype-jsr310, as a dependency of eap7-wildfly, used by ovirt-engine. However, the deserialization classes affected by this flaw are not used by Wildfly or oVirt, and thus cannot be exposed to untrusted input. A future update will address this vulnerability.
This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details
RHSSO 7.3.3 ships jackson-datatype-jsr310-2.9.8.redhat-00004.jar which is already fixed version hence marking it Not affected: ./modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.3.CP/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/main/jackson-datatype-jsr310-2.9.8.redhat-00004.jar
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-1000873