Vulnerability Description
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cxf | < 3.3.11 |
| Apache | Tomee | 8.0.6 |
| Oracle | Business Intelligence | 5.5.0.0.0 |
| Oracle | Communications Element Manager | 8.2.2 |
| Oracle | Communications Messaging Server | 8.1 |
Related Weaknesses (CWE)
References
- http://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.ascVendor Advisory
- http://www.openwall.com/lists/oss-security/2021/06/16/2Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r3f46ae38e4a6e80c069cdb320e0ce831b0a21a12ef
- https://lists.apache.org/thread.html/r4771084730c4cf6e59eda60b4407122c86f174eb75
- https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164
- https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164
- https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164
- https://lists.apache.org/thread.html/r54c0f1cbbb9f381dfbedb9ea5e90ecb1c0a15371f4
- https://lists.apache.org/thread.html/ra833f78b3fa577cb43558cf343859a1bf70b1c5ce2
- https://lists.apache.org/thread.html/rac07822057521dccf33ab5d136e0e8c599a6e2c8ac
- https://lists.apache.org/thread.html/re5b2a2b77faa22684d47bd2ac6623135c615565328
- https://lists.apache.org/thread.html/re9e05c6cab5f0dcc827eba4e6fcf26fa0b493e7ca8
- https://security.netapp.com/advisory/ntap-20210917-0002/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
FAQ
What is CVE-2021-30468?
CVE-2021-30468 is a vulnerability with a CVSS score of 7.5 (HIGH). A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CP...
How severe is CVE-2021-30468?
CVE-2021-30468 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-30468?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Cxf, Apache Tomee, Oracle Business Intelligence, Oracle Communications Element Manager, Oracle Communications Messaging Server.