{ "threat_severity" : "Moderate", "public_date" : "2017-11-14T00:00:00Z", "bugzilla" : { "description" : "cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services", "id" : "1515976", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1515976" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property \"attachment-max-header-size\"." ], "affected_release" : [ { "product_name" : "Red Hat JBoss EAP 7.1", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2425", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1", "package" : "cxf" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-activemq-artemis-0:1.5.5.013-1.redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-bouncycastle-0:1.56.0-5.redhat_3.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-guava-libraries-0:25.0.0-1.redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-hibernate-0:5.1.15-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-ironjacamar-0:1.4.10-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jberet-0:1.2.6-2.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jboss-ejb-client-0:4.0.11-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jboss-remoting-0:5.0.8-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jboss-server-migration-0:1.0.6-4.Final_redhat_4.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-mod_cluster-0:1.3.10-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-narayana-0:5.5.32-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-picketlink-bindings-0:2.5.5-13.SP12_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-picketlink-federation-0:2.5.5-13.SP12_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-resteasy-0:3.0.26-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-undertow-0:1.4.18-7.SP8_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-wildfly-0:7.1.4-1.GA_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-wildfly-javadocs-0:7.1.4-2.GA_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-wildfly-naming-client-0:1.0.9-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-wildfly-openssl-linux-0:1.0.6-14.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-wildfly-transaction-client-0:1.0.4-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2423", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-wildfly-web-console-eap-0:2.9.18-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-activemq-artemis-0:1.5.5.013-1.redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-bouncycastle-0:1.56.0-5.redhat_3.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-guava-libraries-0:25.0.0-1.redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-hibernate-0:5.1.15-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-ironjacamar-0:1.4.10-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-jberet-0:1.2.6-2.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-jboss-ejb-client-0:4.0.11-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-jboss-remoting-0:5.0.8-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-jboss-server-migration-0:1.0.6-4.Final_redhat_4.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-mod_cluster-0:1.3.10-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-narayana-0:5.5.32-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-picketlink-bindings-0:2.5.5-13.SP12_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-picketlink-federation-0:2.5.5-13.SP12_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-resteasy-0:3.0.26-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-undertow-0:1.4.18-7.SP8_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-wildfly-0:7.1.4-1.GA_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-wildfly-javadocs-0:7.1.4-2.GA_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-wildfly-naming-client-0:1.0.9-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-wildfly-openssl-linux-0:1.0.6-14.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-wildfly-transaction-client-0:1.0.4-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2424", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package" : "eap7-wildfly-web-console-eap-0:2.9.18-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat Single Sign-On 7.2.4 zip", "release_date" : "2018-08-15T00:00:00Z", "advisory" : "RHSA-2018:2428", "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.2", "package" : "cxf" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Not affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Not affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Not affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Not affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Will not fix", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Will not fix", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Integration Service 2", "fix_state" : "Affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:fuse_integration_services:2" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Will not fix", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Not affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Not affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Will not fix", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "cxf", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-12624\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-12624" ], "name" : "CVE-2017-12624", "csaw" : false }