{ "threat_severity" : "Moderate", "public_date" : "2024-02-19T00:00:00Z", "bugzilla" : { "description" : "commons-compress: OutOfMemoryError unpacking broken Pack200 file", "id" : "2264989", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2264989" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\nUsers are recommended to upgrade to version 1.26, which fixes the issue.", "An allocation of resources without limits or throttling vulnerability was found in Apache Commons Compress. This issue can lead to an out-of-memory error." ], "affected_release" : [ { "product_name" : "CEQ 3.2", "release_date" : "2024-04-09T00:00:00Z", "advisory" : "RHSA-2024:1706", "cpe" : "cpe:/a:redhat:camel_quarkus:3", "package" : "commons-compress" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1923", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-operator-bundle:1.2-18" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1923", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-rhel8-operator:1.2-11" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1923", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-web-container-rhel8:1.2-12" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1923", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-web-executor-container-rhel8:1.2-10" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-06-20T00:00:00Z", "advisory" : "RHSA-2024:3989", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-windup-addon-rhel9:6.2.3-2" }, { "product_name" : "Red Hat AMQ Broker 7.13.0", "release_date" : "2025-05-14T00:00:00Z", "advisory" : "RHSA-2025:7625", "cpe" : "cpe:/a:redhat:amq_broker:7.13", "package" : "commons-compress" }, { "product_name" : "Red Hat build of Quarkus 2.13.9.SP2", "release_date" : "2024-04-22T00:00:00Z", "advisory" : "RHSA-2024:1797", "cpe" : "cpe:/a:redhat:quarkus:2.13::el8", "package" : "org.apache.commons/commons-compress:1.26.1.redhat-00001" }, { "product_name" : "Red Hat build of Quarkus 3.2.11.Final", "release_date" : "2024-04-03T00:00:00Z", "advisory" : "RHSA-2024:1662", "cpe" : "cpe:/a:redhat:quarkus:3.2::el8", "package" : "org.apache.commons/commons-compress:1.26.0.redhat-00001" }, { "product_name" : "Red Hat Data Grid", "release_date" : "2024-03-26T00:00:00Z", "advisory" : "RHSA-2024:1509", "cpe" : "cpe:/a:redhat:jboss_data_grid:8", "package" : "commons-compress" }, { "product_name" : "RHINT Service Registry 2.5.11 GA", "release_date" : "2024-05-14T00:00:00Z", "advisory" : "RHSA-2024:2833", "cpe" : "cpe:/a:redhat:service_registry:2.5", "package" : "commons-compress" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-operator-bundle:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-rhel8-operator:1.33.0-3" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-swf-builder-rhel8:1.33.0-5" }, { "product_name" : "RHOSS-1.33-RHEL-8", "release_date" : "2024-06-24T00:00:00Z", "advisory" : "RHSA-2024:4057", "cpe" : "cpe:/a:redhat:openshift_serverless:1.33::el8", "package" : "openshift-serverless-1/logic-swf-devmode-rhel8:1.33.0-5" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Cryostat 2", "fix_state" : "Fix deferred", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:cryostat:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "org.elasticsearch-elasticsearch", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 2", "fix_state" : "Affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Web Server 5", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Will not fix", "package_name" : "apache-commons-compress", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Out of support scope", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Will not fix", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "commons-compress", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26308\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26308\nhttps://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg\nhttps://www.openwall.com/lists/oss-security/2024/02/19/2" ], "name" : "CVE-2024-26308", "mitigation" : { "value" : "No mitigation is currently available for this vulnerability.", "lang" : "en:us" }, "csaw" : false }