[jira] [Commented] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF

Richard Zowalla (Jira) Wed, 01 Sep 2021 04:46:10 -0700


    [ 
https://issues.apache.org/jira/browse/TOMEE-3768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17408110#comment-17408110
 ]


Richard Zowalla commented on TOMEE-3768:
----------------------------------------

Fixed with 
https://github.com/apache/tomee/commit/8e9c2a79593d7f5862437630db35da9dffba778c

> TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache 
> CXF
> --------------------------------------------------------------------------------
>
>                 Key: TOMEE-3768
>                 URL: https://issues.apache.org/jira/browse/TOMEE-3768
>             Project: TomEE
>          Issue Type: Bug
>    Affects Versions: 8.0.6, 8.0.7
>            Reporter: Jayaprakash
>            Priority: Major
>             Fix For: 8.0.8
>
>
> *Issue:* 
> This vulnerability is caused by JsonMapObjectReaderWriter.class of 
> cxf-rt-rs-json-basic.jar. When a malformed JSON is submitted to a web 
> service, it results in thread getting stuck in an infinite loop, consuming 
> CPU indefinitely. 
> This is resolved from Apache CXF 3.3.11 or later. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF

Reply via email to