First published: Wed Jun 16 2021(Updated: )
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache CXF | <3.3.11 | |
Apache CXF | >=3.4.0<3.4.4 | |
Apache TomEE | =8.0.6 | |
Oracle Business Intelligence | =5.5.0.0.0 | |
Oracle Business Intelligence | =5.9.0.0.0 | |
Oracle Business Intelligence | =12.2.1.3.0 | |
Oracle Business Intelligence | =12.2.1.4.0 | |
Oracle Communications Element Manager | =8.2.2 | |
Oracle Communications Messaging Server | =8.1 | |
redhat/apache-cxf | <3.3.11 | 3.3.11 |
redhat/apache-cxf | <3.4.4 | 3.4.4 |
<=10.5 | ||
<=10.6 | ||
<=11.0 | ||
<=11.1 | ||
<=11.2 | ||
<=11.3 | ||
<=11.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID is CVE-2021-30468.
The severity of CVE-2021-30468 is high with a severity value of 7.5.
CVE-2021-30468 affects Apache CXF versions prior to 3.4.4.
The impact of CVE-2021-30468 is a denial of service caused by an infinite loop flaw in the JsonMapObjectReaderWriter of Apache CXF.
To fix CVE-2021-30468, upgrade to Apache CXF version 3.4.4 or later.