{ "threat_severity" : "Moderate", "public_date" : "2021-06-08T00:00:00Z", "bugzilla" : { "description" : "jdom: XXE allows attackers to cause a DoS via a crafted HTTP request", "id" : "1973413", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1973413" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-611", "details" : [ "An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request." ], "statement" : "In OpenShift Container Platform (OCP), the hive and hadoop components that comprise the OCP metering stack, ship the vulnerable version of jdom.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\nThis flaw is out of support scope for Red Hat Enterprise Linux 6 and 7. Please see the following page for more information on Red Hat Enterprise Linux support scopes: https://access.redhat.com/support/policy/updates/errata/ .\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "affected_release" : [ { "product_name" : "Red Hat Fuse 7.11", "release_date" : "2022-07-07T00:00:00Z", "advisory" : "RHSA-2022:5532", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "jdom" }, { "product_name" : "Red Hat Fuse 7.11", "release_date" : "2022-07-07T00:00:00Z", "advisory" : "RHSA-2022:5532", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "jdom2", "impact" : "low" }, { "product_name" : "RHDM 7.12.1", "release_date" : "2022-03-29T00:00:00Z", "advisory" : "RHSA-2022:1110", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.12", "package" : "jdom" }, { "product_name" : "RHINT Camel-K 1.6.4", "release_date" : "2022-03-23T00:00:00Z", "advisory" : "RHSA-2022:1029", "cpe" : "cpe:/a:redhat:integration:1", "package" : "jdom" }, { "product_name" : "RHINT Camel-K 1.6.4", "release_date" : "2022-03-23T00:00:00Z", "advisory" : "RHSA-2022:1029", "cpe" : "cpe:/a:redhat:integration:1", "package" : "jdom2" }, { "product_name" : "RHPAM 7.12.1", "release_date" : "2022-03-29T00:00:00Z", "advisory" : "RHSA-2022:1108", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12", "package" : "jdom" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "jdom2", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Out of support scope", "package_name" : "jdom2", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "jdom2", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "jdom2", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Out of support scope", "package_name" : "jdom", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "rh-maven36-jdom", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "rh-maven36-jdom2", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-33813\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-33813" ], "name" : "CVE-2021-33813", "csaw" : false }