{
  "threat_severity" : "Important",
  "public_date" : "2023-09-29T00:00:00Z",
  "bugzilla" : {
    "description" : "apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK",
    "id" : "2242521",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2242521"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2.  Users should update to apache-avro version 1.11.3 which addresses this issue.", "A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system." ],
  "affected_release" : [ {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "release_date" : "2023-11-30T00:00:00Z",
    "advisory" : "RHSA-2023:7617",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3.2.0"
  }, {
    "product_name" : "Red Hat build of Quarkus 2.13.9.Final",
    "release_date" : "2023-12-07T00:00:00Z",
    "advisory" : "RHSA-2023:7700",
    "cpe" : "cpe:/a:redhat:quarkus:2.13::el8",
    "package" : "org.apache.avro/avro:1.11.3.redhat-00002"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.2.9.Final",
    "release_date" : "2023-11-30T00:00:00Z",
    "advisory" : "RHSA-2023:7612",
    "cpe" : "cpe:/a:redhat:quarkus:3.2::el8",
    "package" : "org.apache.avro/avro:1.11.3.redhat-00002"
  }, {
    "product_name" : "Red Hat Fuse 7.12.1",
    "release_date" : "2023-11-15T00:00:00Z",
    "advisory" : "RHSA-2023:7247",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "avro"
  }, {
    "product_name" : "Red Hat Fuse 7.13.0",
    "release_date" : "2024-05-23T00:00:00Z",
    "advisory" : "RHSA-2024:3354",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "avro"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "release_date" : "2023-12-04T00:00:00Z",
    "advisory" : "RHSA-2023:7641",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4",
    "package" : "avro"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10208",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-apache-cxf-0:3.1.16-3.SP1_redhat_00001.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10208",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-avro-0:1.7.6-2.redhat_00003.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10208",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-bouncycastle-0:1.68.0-1.redhat_00005.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10208",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-h2database-0:1.4.197-2.redhat_00005.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10208",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-jackson-databind-0:2.8.11.6-1.SP1_redhat_00001.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10208",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10208",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-jboss-xnio-base-0:3.5.10-1.Final_redhat_00001.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10208",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-wildfly-0:7.1.8-2.GA_redhat_00002.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10208",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-xalan-j2-0:2.7.1-26.redhat_00015.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
    "release_date" : "2023-12-04T00:00:00Z",
    "advisory" : "RHSA-2023:7638",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8",
    "package" : "eap7-avro-0:1.11.3-1.redhat_00001.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
    "release_date" : "2023-12-04T00:00:00Z",
    "advisory" : "RHSA-2023:7639",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
    "package" : "eap7-avro-0:1.11.3-1.redhat_00001.1.el9eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
    "release_date" : "2023-12-04T00:00:00Z",
    "advisory" : "RHSA-2023:7637",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
    "package" : "eap7-avro-0:1.11.3-1.redhat_00001.1.el7eap"
  } ],
  "package_state" : [ {
    "product_name" : "A-MQ Clients 2",
    "fix_state" : "Not affected",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:a_mq_clients:2"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/elasticsearch6-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 3",
    "fix_state" : "Will not fix",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:3"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Affected",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat build of Debezium 2",
    "fix_state" : "Will not fix",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:debezium:2"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "log4j:2/log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Not affected",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 2",
    "fix_state" : "Affected",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Out of support scope",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "keycloak-adapter-sso7_5-eap6",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Affected",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka",
    "fix_state" : "Out of support scope",
    "package_name" : "avro",
    "cpe" : "cpe:/a:redhat:amq_streams:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-39410\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39410\nhttps://issues.apache.org/jira/browse/AVRO-3819" ],
  "name" : "CVE-2023-39410",
  "csaw" : false
}