{
  "threat_severity" : "Moderate",
  "public_date" : "2021-02-18T00:00:00Z",
  "bugzilla" : {
    "description" : "jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception",
    "id" : "1930423",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1930423"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception." ],
  "statement" : "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jackson-dataformat-cbor.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\nIn OCP 4.6 the openshift4/ose-logging-elasticsearch6 container delivers the vulnerable version of jackson-dataformat-cbor, but OCP 4.6 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support, hence this component is marked as ooss. Since the release of OCP 4.7 this component is delivered as part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8 container).\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
  "affected_release" : [ {
    "product_name" : "OpenShift Logging 5.1",
    "release_date" : "2022-03-01T00:00:00Z",
    "advisory" : "RHSA-2022:0727",
    "cpe" : "cpe:/a:redhat:logging:5.1::el8",
    "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-120"
  }, {
    "product_name" : "OpenShift Logging 5.2",
    "release_date" : "2022-03-02T00:00:00Z",
    "advisory" : "RHSA-2022:0728",
    "cpe" : "cpe:/a:redhat:logging:5.2::el8",
    "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-124"
  }, {
    "product_name" : "OpenShift Logging 5.3",
    "release_date" : "2022-03-01T00:00:00Z",
    "advisory" : "RHSA-2022:0721",
    "cpe" : "cpe:/a:redhat:logging:5.3::el8",
    "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-123"
  }, {
    "product_name" : "Red Hat build of Quarkus 2.2.3",
    "release_date" : "2021-10-20T00:00:00Z",
    "advisory" : "RHSA-2021:3880",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "jackson-dataformat-cbor"
  }, {
    "product_name" : "Red Hat Fuse 7.10",
    "release_date" : "2021-12-14T00:00:00Z",
    "advisory" : "RHSA-2021:5134",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "jackson-dataformat-cbor"
  }, {
    "product_name" : "Red Hat Integration",
    "release_date" : "2021-12-02T00:00:00Z",
    "advisory" : "RHSA-2021:4918",
    "cpe" : "cpe:/a:redhat:integration:1",
    "package" : "jackson-dataformat-cbor"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 2",
    "release_date" : "2021-11-23T00:00:00Z",
    "advisory" : "RHSA-2021:4767",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2.2"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.4.9",
    "release_date" : "2021-09-14T00:00:00Z",
    "advisory" : "RHSA-2021:3534",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7",
    "package" : "jackson-dataformat-cbor"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.4 for RHEL 6",
    "release_date" : "2021-09-14T00:00:00Z",
    "advisory" : "RHSA-2021:3527",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el6",
    "package" : "rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el6sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.4 for RHEL 7",
    "release_date" : "2021-09-14T00:00:00Z",
    "advisory" : "RHSA-2021:3528",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el7",
    "package" : "rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.4 for RHEL 8",
    "release_date" : "2021-09-14T00:00:00Z",
    "advisory" : "RHSA-2021:3529",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el8",
    "package" : "rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el8sso"
  }, {
    "product_name" : "RHDM 7.12.0",
    "release_date" : "2022-01-26T00:00:00Z",
    "advisory" : "RHSA-2022:0297",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.12",
    "package" : "jackson-dataformat-cbor"
  }, {
    "product_name" : "RHPAM 7.12.0",
    "release_date" : "2022-01-26T00:00:00Z",
    "advisory" : "RHSA-2022:0296",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12",
    "package" : "jackson-dataformat-cbor"
  }, {
    "product_name" : "vertx 4.1.2",
    "release_date" : "2021-08-18T00:00:00Z",
    "advisory" : "RHSA-2021:3125",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "jackson-dataformat-cbor"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "fix_state" : "Affected",
    "package_name" : "jackson-dataformat-cbor",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Affected",
    "package_name" : "jackson-dataformat-cbor",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Will not fix",
    "package_name" : "openshift3/ose-logging-elasticsearch5",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift4/ose-logging-elasticsearch6",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-metering-hadoop",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-metering-hive",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-metering-presto",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-28491\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-28491\nhttps://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329" ],
  "name" : "CVE-2020-28491",
  "csaw" : false
}