Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1665601 (CVE-2018-1000873) - CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation
Summary: CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1000873
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1665603 1667118
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-11 22:07 UTC by Laura Pardo
Modified: 2020-12-16 16:18 UTC (History)
84 users (show)

Fixed In Version: jackson-modules-java8 2.9.8
Clone Of:
Environment:
Last Closed: 2020-12-16 16:18:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5568 0 None None None 2020-12-16 12:11:38 UTC

Description Laura Pardo 2019-01-11 22:07:14 UTC 
Fasterxml Jackson version Before 2.9.8 contains an Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in a denial-of-service (DoS) when the victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. 


References:
https://github.com/FasterXML/jackson-modules-java8/issues/90

Upstream Patch:
https://github.com/FasterXML/jackson-modules-java8/pull/87
Comment 1 Laura Pardo 2019-01-11 22:08:43 UTC 
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1665603]
Comment 3 Richard Maciel Costa 2019-01-17 14:00:50 UTC 
Created jackson-datatype-jsr310 tracking bugs for this issue:

Affects: fedora-all [bug 1667118]
Comment 6 Doran Moppert 2019-03-05 06:01:57 UTC 
rhvm-appliance includes the affected package eap7-jackson-datatype-jsr310, as a dependency of eap7-wildfly, used by ovirt-engine.  However, the deserialization classes affected by this flaw are not used by Wildfly or oVirt, and thus cannot be exposed to untrusted input.  A future update will address this vulnerability.
Comment 8 Jason Shepherd 2019-08-08 06:03:24 UTC 
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details
Comment 10 Paramvir jindal 2019-10-30 10:42:04 UTC 
RHSSO 7.3.3 ships jackson-datatype-jsr310-2.9.8.redhat-00004.jar which is already fixed version hence marking it Not affected:

./modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.3.CP/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/main/jackson-datatype-jsr310-2.9.8.redhat-00004.jar
Comment 11 Paramvir jindal 2019-10-30 10:48:50 UTC 
This vulnerability is out of security support scope for the following products:
 
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 14 errata-xmlrpc 2020-12-16 12:12:02 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
Comment 15 Product Security DevOps Team 2020-12-16 16:18:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1000873
Note You need to log in before you can comment on or make changes to this bug.