Skip to content
cyberexploits
dosmultipletext

Apache CXF < 2.5.10 / 2.6.7 / 2.7.4 - Denial of Service

Apache CXF < 2.5.10 / 2.6.7 / 2.7.4 - Denial of Service

Publié le 2013-07-09

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/multiple/dos/26710.txt7eac4c3a
raw
SEC Consult Vulnerability Lab Security Advisory < 20130709-0 >

=======================================================================

              title: Denial of service vulnerability

            product: Apache CXF

 vulnerable version: Apache CXF prior to 2.5.10, 2.6.7 and 2.7.4

      fixed version: Apache CXF 2.5.10, 2.6.7 and 2.7.4 onwards

         CVE number: CVE-2013-2160

             impact: Critical

           homepage: http://cxf.apache.org/

              found: 2013-02-01

                 by: Andreas Falkenberg, SEC Consult Vulnerability Lab

                     Christian Mainka, Ruhr-University Bochum

                     Juraj Somorovsky, Ruhr-University Bochum

                     Joerg Schwenk, Ruhr-University Bochum

                     https://www.sec-consult.com

=======================================================================



Vendor/product description:

------------------------------------------------------------------------------

"Apache CXF is an open source services framework. CXF helps you build and 

develop services using frontend programming APIs, like JAX-WS and JAX-RS. 

These services can speak a variety of protocols such as SOAP, XML/HTTP, 

RESTful HTTP, or CORBA and work over a variety of transports such as HTTP, 

JMS or JBI."



URL: http://cxf.apache.org/





Business recommendation:

------------------------------------------------------------------------------

Various denial of service attack vectors were found within Apache CXF. 

The recommendation of SEC Consult is to immediately perform an update.







Vulnerability overview/description:

------------------------------------------------------------------------------

It is possible to execute Denial of Service attacks on Apache CXF, exploiting

the fact that the streaming XML parser does not put limits on things like the

number of elements, number of attributes, the nested structure of the document

received, etc. The effects of these attacks can vary from causing high CPU

usage, to causing the JVM to run out of memory.

URL: http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc





Proof of concept:

------------------------------------------------------------------------------

The following SOAP message will trigger a denial of service:



<?xml version="1.0"?>

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>

  <soap:Body>

        <element>

                <element>

                        <element>

                                <element>

                                        [thousands more]

                                </element>

                        </element>

                </element>

        </element>              

  </soap:Body>

</soap:Envelope>



There are various other XML payloads that will also trigger a denial of 

service on vulnerable services.





Vulnerable / tested versions:

------------------------------------------------------------------------------

This vulnerability affects all versions of Apache CXF prior to 2.5.10, 2.6.7

and 2.7.4.





Vendor contact timeline:

------------------------------------------------------------------------------

2013-02-22: Advisory sent to vendor by Juraj Somorovsky (RUB)

2013-02-22: Advisory acknowledged by vendor

2013-04-19: Vendor confirms vulnerability

2013-05-15: Vendor publishes fixed version

2013-06-27: Vulnerability is disclosed by vendor

2013-07-09: SEC Consult releases security advisory 





Solution:

------------------------------------------------------------------------------

CXF 2.5.x users should upgrade to 2.5.10 or later as soon as possible.

CXF 2.6.x users should upgrade to 2.6.7 or later as soon as possible.

CXF 2.7.x users should upgrade to 2.7.4 or later as soon as possible.



Also see the advisory of the vendor:

http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc





Workaround:

------------------------------------------------------------------------------

No workaround available.





Advisory URL:

------------------------------------------------------------------------------

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab



SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius



Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone:   +43 1 8903043 0

Fax:     +43 1 8903043 15



Mail: research at sec-consult dot com

Web: https://www.sec-consult.com

Blog: http://blog.sec-consult.com

Twitter: https://twitter.com/sec_consult



EOF Andreas Falkenberg / @2013
Voir sur GitHub