{
  "threat_severity" : "Moderate",
  "public_date" : "2021-06-16T00:00:00Z",
  "bugzilla" : {
    "description" : "CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
    "id" : "1973392",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1973392"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-835",
  "details" : [ "A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11." ],
  "statement" : "In OpenShift Container Platform (OCP) the openshift4/ose-logging-elasticsearch6 container bundles  the vulnerable version of apache-cxf, but OCP 4.6 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support, hence this component is marked as ooss. Starting in 4.7 this component is delivered as part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8 container) and is not affected by this vulnerability.",
  "affected_release" : [ {
    "product_name" : "JWS 5.7.0",
    "release_date" : "2022-11-02T00:00:00Z",
    "advisory" : "RHSA-2022:7273",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7",
    "package" : "cxf-rt-rs-json-basic",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Fuse 7.10",
    "release_date" : "2021-12-14T00:00:00Z",
    "advisory" : "RHSA-2021:5134",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "cxf-rt-rs-json-basic"
  }, {
    "product_name" : "Red Hat Integration",
    "release_date" : "2021-08-18T00:00:00Z",
    "advisory" : "RHSA-2021:3205",
    "cpe" : "cpe:/a:redhat:integration:1",
    "package" : "cxf-rt-rs-json-basic"
  } ],
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/elasticsearch6-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "fix_state" : "Affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift4/ose-logging-elasticsearch6",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "cxf-rt-rs-json-basic",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-30468\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-30468\nhttp://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc?version=1&modificationDate=1623835369690&api=v2" ],
  "name" : "CVE-2021-30468",
  "csaw" : false
}