[
https://issues.apache.org/jira/browse/TOMEE-3768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414024#comment-17414024
]
Marius Ionica commented on TOMEE-3768:
--------------------------------------
The official advisory mentions it as also _affecting_ _CXF versions prior to
*3.4.4*_
[https://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc?version=1&modificationDate=1623835369690&api=v2]
So to me it looks that 3.4.3 is still vulnerable.
> TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache
> CXF
> --------------------------------------------------------------------------------
>
> Key: TOMEE-3768
> URL: https://issues.apache.org/jira/browse/TOMEE-3768
> Project: TomEE
> Issue Type: Bug
> Affects Versions: 8.0.6, 8.0.7
> Reporter: Jayaprakash
> Priority: Major
> Fix For: 8.0.8
>
>
> *Issue:*
> This vulnerability is caused by JsonMapObjectReaderWriter.class of
> cxf-rt-rs-json-basic.jar. When a malformed JSON is submitted to a web
> service, it results in thread getting stuck in an infinite loop, consuming
> CPU indefinitely.
> This is resolved from Apache CXF 3.3.11 or later.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
