{ "threat_severity" : "Moderate", "public_date" : "2024-02-19T00:00:00Z", "bugzilla" : { "description" : "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", "id" : "2264988", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2264988" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-835", "details" : [ "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.\nUsers are recommended to upgrade to version 1.26.0 which fixes the issue.", "A loop with an unreachable exit condition (Infinite Loop) vulnerability was found in Apache Common Compress. This issue can lead to a denial of service." ], "affected_release" : [ { "product_name" : "CEQ 3.2", "release_date" : "2024-04-09T00:00:00Z", "advisory" : "RHSA-2024:1706", "cpe" : "cpe:/a:redhat:camel_quarkus:3", "package" : "commons-compress" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1924", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "commons-compress" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-06-20T00:00:00Z", "advisory" : "RHSA-2024:3989", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-windup-addon-rhel9:6.2.3-2" }, { "product_name" : "Red Hat AMQ Broker 7.13.0", "release_date" : "2025-05-14T00:00:00Z", "advisory" : "RHSA-2025:7625", "cpe" : "cpe:/a:redhat:amq_broker:7.13", "package" : "commons-compress" }, { "product_name" : "Red Hat AMQ Streams 2.7.0", "release_date" : "2024-05-30T00:00:00Z", "advisory" : "RHSA-2024:3527", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat build of Quarkus 2.13.9.SP2", "release_date" : "2024-04-22T00:00:00Z", "advisory" : "RHSA-2024:1797", "cpe" : "cpe:/a:redhat:quarkus:2.13::el8", "package" : "org.apache.commons/commons-compress:1.26.1.redhat-00001" }, { "product_name" : "Red Hat build of Quarkus 3.2.11.Final", "release_date" : "2024-04-03T00:00:00Z", "advisory" : "RHSA-2024:1662", "cpe" : "cpe:/a:redhat:quarkus:3.2::el8", "package" : "org.apache.commons/commons-compress:1.26.0.redhat-00001" }, { "product_name" : "Red Hat Data Grid", "release_date" : "2024-03-26T00:00:00Z", "advisory" : "RHSA-2024:1509", "cpe" : "cpe:/a:redhat:jboss_data_grid:8", "package" : "commons-compress" }, { "product_name" : "RHINT Service Registry 2.5.11 GA", "release_date" : "2024-05-14T00:00:00Z", "advisory" : "RHSA-2024:2833", "cpe" : "cpe:/a:redhat:service_registry:2.5", "package" : "commons-compress" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-operator-bundle:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-rhel8-operator:1.33.0-3" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-swf-builder-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-swf-devmode-rhel8:1.33.0-5" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Cryostat 2", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:cryostat:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "org.elasticsearch-elasticsearch", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Will not fix", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 2", "fix_state" : "Affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "apache-commons-compress", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Web Server 5", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Out of support scope", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-25710\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-25710\nhttp://www.openwall.com/lists/oss-security/2024/02/19/1\nhttps://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf" ], "name" : "CVE-2024-25710", "mitigation" : { "value" : "No mitigation is currently available for this vulnerability.", "lang" : "en:us" }, "csaw" : false }