Bug 1687364 (CVE-2018-11793) - CVE-2018-11793 mesos: stack overflow vulnerability in parser
Summary: CVE-2018-11793 mesos: stack overflow vulnerability in parser
Alias: CVE-2018-11793
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1687365
Blocks: 1687367
TreeView+ depends on / blocked
Reported: 2019-03-11 11:35 UTC by Dhananjay Arunesh
Modified: 2020-12-15 15:42 UTC (History)
3 users (show)

Fixed In Version: Apache Mesos 1.4.3, Apache Mesos 1.5.2, Apache Mesos 1.6.2, Apache Mesos 1.7.1, Apache Mesos 1.8.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:50:15 UTC

Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-03-11 11:35:55 UTC
When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.

Upstream Issue:

Comment 1 Dhananjay Arunesh 2019-03-11 11:36:06 UTC
Created mesos tracking bugs for this issue:

Affects: fedora-all [bug 1687365]

Comment 3 Joshua Padman 2019-05-16 11:36:08 UTC
JBoss Fuse 7 does not contain Mesos and is not affected by this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.