You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2021/09/01 11:46:00 UTC
[jira] [Commented] (TOMEE-3768) TomEE plus is affected by
CVE-CVE-2021-30468 vulnerability related to Apache CXF
[ https://issues.apache.org/jira/browse/TOMEE-3768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17408110#comment-17408110 ]
Richard Zowalla commented on TOMEE-3768:
----------------------------------------
Fixed with https://github.com/apache/tomee/commit/8e9c2a79593d7f5862437630db35da9dffba778c
> TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF
> --------------------------------------------------------------------------------
>
> Key: TOMEE-3768
> URL: https://issues.apache.org/jira/browse/TOMEE-3768
> Project: TomEE
> Issue Type: Bug
> Affects Versions: 8.0.6, 8.0.7
> Reporter: Jayaprakash
> Priority: Major
> Fix For: 8.0.8
>
>
> *Issue:*
> This vulnerability is caused by JsonMapObjectReaderWriter.class of cxf-rt-rs-json-basic.jar. When a malformed JSON is submitted to a web service, it results in thread getting stuck in an infinite loop, consuming CPU indefinitely.
> This is resolved from Apache CXF 3.3.11 or later.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)