First published: Wed Jun 16 2021(Updated: )
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/apache-cxf | <3.3.11 | 3.3.11 |
redhat/apache-cxf | <3.4.4 | 3.4.4 |
IBM InfoSphere Guardium z/OS | <=10.5 | |
IBM InfoSphere Guardium z/OS | <=10.6 | |
IBM InfoSphere Guardium z/OS | <=11.0 | |
IBM InfoSphere Guardium z/OS | <=11.1 | |
IBM InfoSphere Guardium z/OS | <=11.2 | |
IBM InfoSphere Guardium z/OS | <=11.3 | |
IBM InfoSphere Guardium z/OS | <=11.4 | |
Apache CXF | <3.3.11 | |
Apache CXF | >=3.4.0<3.4.4 | |
Apache TomEE | =8.0.6 | |
Oracle Business Intelligence Enterprise Edition | =5.5.0.0.0 | |
Oracle Business Intelligence Enterprise Edition | =5.9.0.0.0 | |
Oracle Business Intelligence Enterprise Edition | =12.2.1.3.0 | |
Oracle Business Intelligence Enterprise Edition | =12.2.1.4.0 | |
Oracle Communications Element Manager | =8.2.2 | |
Sun iPlanet Messaging Server | =8.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID is CVE-2021-30468.
The severity of CVE-2021-30468 is high with a severity value of 7.5.
CVE-2021-30468 affects Apache CXF versions prior to 3.4.4.
The impact of CVE-2021-30468 is a denial of service caused by an infinite loop flaw in the JsonMapObjectReaderWriter of Apache CXF.
To fix CVE-2021-30468, upgrade to Apache CXF version 3.4.4 or later.