Description

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

Remediation

References

http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc

http://www.securityfocus.com/bid/101859

http://www.securitytracker.com/id/1040486

https://access.redhat.com/errata/RHSA-2018:2423

https://access.redhat.com/errata/RHSA-2018:2424

https://access.redhat.com/errata/RHSA-2018:2425

https://access.redhat.com/errata/RHSA-2018:2428

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Related Vulnerabilities

CVE-2021-44550 Vulnerability in maven package edu.stanford.nlp:stanford-corenlp

CVE-2022-31198 Vulnerability in npm package @openzeppelin/contracts-upgradeable

CVE-2019-1003047 Vulnerability in maven package org.jenkins-ci.plugins:fortify-on-demand-uploader

CVE-2023-2585 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2020-36184 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

Medium

Classification

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Tags

Issue Tracking Vendor Advisory Third Party Advisory VDB Entry NVD-CWE-noinfo