{
  "threat_severity" : "Moderate",
  "public_date" : "2018-08-17T00:00:00Z",
  "bugzilla" : {
    "description" : "apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip",
    "id" : "1618573",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1618573"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.6.0",
    "release_date" : "2020-03-26T00:00:00Z",
    "advisory" : "RHSA-2020:0983",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "commons-compress"
  } ],
  "package_state" : [ {
    "product_name" : "JBoss Developer Studio 11",
    "fix_state" : "Out of support scope",
    "package_name" : "commons-compress",
    "cpe" : "cpe:/a:redhat:jboss_dev_studio:11."
  }, {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Out of support scope",
    "package_name" : "commons-compress",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "apache-commons-compress",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "apache-commons-compress",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6",
    "fix_state" : "Out of support scope",
    "package_name" : "commons-compress",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "commons-compress",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "commons-compress",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "commons-compress",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Out of support scope",
    "package_name" : "commons-compress",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat Mobile Application Platform 4",
    "fix_state" : "Out of support scope",
    "package_name" : "commons-compress",
    "cpe" : "cpe:/a:redhat:mobile_application_platform:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8 (Liberty)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:8"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:9"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Out of support scope",
    "package_name" : "lucene4-contrib",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-java-common-apache-commons-compress",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-maven35-apache-commons-compress",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "commons-compress",
    "cpe" : "cpe:/a:redhat:storage:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "apache-commons-compress",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-11771\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-11771\nhttps://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E" ],
  "name" : "CVE-2018-11771",
  "csaw" : false
}