exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache CXF 2.5.10 / 2.6.7 / 2.7.4 Denial Of Service

Apache CXF 2.5.10 / 2.6.7 / 2.7.4 Denial Of Service
Posted Jul 9, 2013
Authored by A. Falkenberg, Joerg Schwenk, Juraj Somorovsky, Christian Mainka | Site sec-consult.com

Apache CXF versions prior to 2.5.10, 2.6.7, and 2.7.4 suffer from a denial of service vulnerability.

tags | exploit, denial of service
advisories | CVE-2013-2160
SHA-256 | bd800eccaafd0f41d9a2aa6be1e7ad144231f64eaa6af3b4f06fce8a84901843

Apache CXF 2.5.10 / 2.6.7 / 2.7.4 Denial Of Service

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20130709-0 >
=======================================================================
title: Denial of service vulnerability
product: Apache CXF
vulnerable version: Apache CXF prior to 2.5.10, 2.6.7 and 2.7.4
fixed version: Apache CXF 2.5.10, 2.6.7 and 2.7.4 onwards
CVE number: CVE-2013-2160
impact: Critical
homepage: http://cxf.apache.org/
found: 2013-02-01
by: Andreas Falkenberg, SEC Consult Vulnerability Lab
Christian Mainka, Ruhr-University Bochum
Juraj Somorovsky, Ruhr-University Bochum
Joerg Schwenk, Ruhr-University Bochum
https://www.sec-consult.com
=======================================================================

Vendor/product description:
------------------------------------------------------------------------------
"Apache CXF is an open source services framework. CXF helps you build and
develop services using frontend programming APIs, like JAX-WS and JAX-RS.
These services can speak a variety of protocols such as SOAP, XML/HTTP,
RESTful HTTP, or CORBA and work over a variety of transports such as HTTP,
JMS or JBI."

URL: http://cxf.apache.org/


Business recommendation:
------------------------------------------------------------------------------
Various denial of service attack vectors were found within Apache CXF.
The recommendation of SEC Consult is to immediately perform an update.



Vulnerability overview/description:
------------------------------------------------------------------------------
It is possible to execute Denial of Service attacks on Apache CXF, exploiting
the fact that the streaming XML parser does not put limits on things like the
number of elements, number of attributes, the nested structure of the document
received, etc. The effects of these attacks can vary from causing high CPU
usage, to causing the JVM to run out of memory.
URL: http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc


Proof of concept:
------------------------------------------------------------------------------
The following SOAP message will trigger a denial of service:

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Body>
<element>
<element>
<element>
<element>
[thousands more]
</element>
</element>
</element>
</element>
</soap:Body>
</soap:Envelope>

There are various other XML payloads that will also trigger a denial of
service on vulnerable services.


Vulnerable / tested versions:
------------------------------------------------------------------------------
This vulnerability affects all versions of Apache CXF prior to 2.5.10, 2.6.7
and 2.7.4.


Vendor contact timeline:
------------------------------------------------------------------------------
2013-02-22: Advisory sent to vendor by Juraj Somorovsky (RUB)
2013-02-22: Advisory acknowledged by vendor
2013-04-19: Vendor confirms vulnerability
2013-05-15: Vendor publishes fixed version
2013-06-27: Vulnerability is disclosed by vendor
2013-07-09: SEC Consult releases security advisory


Solution:
------------------------------------------------------------------------------
CXF 2.5.x users should upgrade to 2.5.10 or later as soon as possible.
CXF 2.6.x users should upgrade to 2.6.7 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.4 or later as soon as possible.

Also see the advisory of the vendor:
http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc


Workaround:
------------------------------------------------------------------------------
No workaround available.


Advisory URL:
------------------------------------------------------------------------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Andreas Falkenberg / @2013
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close