csaf2cusa/csaf/advisories/2024/csaf-openEuler-SA-2024-1915.json

{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"High"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"avro security update",
				"category":"general",
				"title":"Synopsis"
			},
			{
				"text":"An update for avro is now available for openEuler-20.03-LTS-SP4.",
				"category":"general",
				"title":"Summary"
			},
			{
				"text":"Apache Avro is a data serialization system.\n\nSecurity Fix(es):\n\nWhen deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\n\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2.  Users should update to apache-avro version 1.11.3 which addresses this issue.\n\n(CVE-2023-39410)",
				"category":"general",
				"title":"Description"
			},
			{
				"text":"An update for avro is now available for openEuler-20.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.",
				"category":"general",
				"title":"Topic"
			},
			{
				"text":"High",
				"category":"general",
				"title":"Severity"
			},
			{
				"text":"avro",
				"category":"general",
				"title":"Affected Component"
			}
		],
		"publisher":{
			"issuing_authority":"openEuler security committee",
			"name":"openEuler",
			"namespace":"https://www.openeuler.org",
			"contact_details":"openeuler-security@openeuler.org",
			"category":"vendor"
		},
		"references":[
			{
				"summary":"openEuler-SA-2024-1915",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/security-bulletins/detail?id=openEuler-SA-2024-1915"
			},
			{
				"summary":"CVE-2023-39410",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-39410&packageName=avro"
			},
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39410"
			},
			{
				"summary":"openEuler-SA-2024-1915 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openEuler-SA-2024-1915.json"
			}
		],
		"title":"An update for avro is now available for openEuler-20.03-LTS-SP4",
		"tracking":{
			"initial_release_date":"2024-08-02T19:41:45+08:00",
			"revision_history":[
				{
					"date":"2024-08-02T19:41:45+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				},
        {
					"date":"2024-08-05T11:30:23+08:00",
					"summary":"final",
					"number":"2.0.0"
				}
			],
			"generator":{
				"date":"2024-08-05T11:30:23+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2024-08-05T11:30:23+08:00",
			"id":"openEuler-SA-2024-1915",
			"version":"2.0.0",
			"status":"final"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4"
									},
									"product_id":"openEuler-20.03-LTS-SP4",
									"name":"openEuler-20.03-LTS-SP4"
								},
								"name":"openEuler-20.03-LTS-SP4",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"aarch64",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4"
									},
									"product_id":"avro-1.10.2-5.oe2003sp4.aarch64.rpm",
									"name":"avro-1.10.2-5.oe2003sp4.aarch64.rpm"
								},
								"name":"avro-1.10.2-5.oe2003sp4.aarch64.rpm",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4"
									},
									"product_id":"avro-1.10.2-5.oe2003sp4.src.rpm",
									"name":"avro-1.10.2-5.oe2003sp4.src.rpm"
								},
								"name":"avro-1.10.2-5.oe2003sp4.src.rpm",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"x86_64",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4"
									},
									"product_id":"avro-1.10.2-5.oe2003sp4.x86_64.rpm",
									"name":"avro-1.10.2-5.oe2003sp4.x86_64.rpm"
								},
								"name":"avro-1.10.2-5.oe2003sp4.x86_64.rpm",
								"category":"product_version"
							}
						],
						"category":"product_name"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP4",
				"product_reference":"avro-1.10.2-5.oe2003sp4.aarch64.rpm",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.aarch64",
					"name":"avro-1.10.2-5.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP4",
				"product_reference":"avro-1.10.2-5.oe2003sp4.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.src",
					"name":"avro-1.10.2-5.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP4",
				"product_reference":"avro-1.10.2-5.oe2003sp4.x86_64.rpm",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.x86_64",
					"name":"avro-1.10.2-5.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2023-39410",
			"notes":[
				{
					"text":"When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2.  Users should update to apache-avro version 1.11.3 which addresses this issue.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.aarch64",
					"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.src",
					"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.x86_64"
				]
			},
			"remediations":[
				{
					"product_ids":[
						"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.aarch64",
						"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.src",
						"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.x86_64"
					],
					"details":"avro security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1915"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"HIGH",
						"baseScore":7.5,
						"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
						"version":"3.1"
					},
					"products":[
						"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.aarch64",
						"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.src",
						"openEuler-20.03-LTS-SP4:avro-1.10.2-5.oe2003sp4.x86_64"
					]
				}
			],
			"threats":[
				{
					"details":"High",
					"category":"impact"
				}
			],
			"title":"CVE-2023-39410"
		}
	]
}