Denial of service vulnerability in Apache CXF

SEC Consult Vulnerability Lab Security Advisory < 20130709-0 >

=======================================================================

title: Denial of service vulnerability

product: Apache CXF

vulnerable version: Apache CXF prior to 2.5.10, 2.6.7 and 2.7.4

fixed version: Apache CXF 2.5.10, 2.6.7 and 2.7.4 onwards

CVE number: CVE-2013-2160

impact: Critical

homepage: cxf.apache.org

found: 2013-02-01

by: Andreas Falkenberg, SEC Consult Vulnerability Lab

Christian Mainka, Ruhr-University Bochum

Juraj Somorovsky, Ruhr-University Bochum

Joerg Schwenk, Ruhr-University Bochum

www.sec-consult.com

=======================================================================

 

Vendor/product description:

------------------------------------------------------------------------------

"Apache CXF is an open source services framework. CXF helps you build and

develop services using frontend programming APIs, like JAX-WS and JAX-RS.

These services can speak a variety of protocols such as SOAP, XML/HTTP,

RESTful HTTP, or CORBA and work over a variety of transports such as HTTP,

JMS or JBI."

 

URL: cxf.apache.org

 

 

Business recommendation:

------------------------------------------------------------------------------

Various denial of service attack vectors were found within Apache CXF.

The recommendation of SEC Consult is to immediately perform an update.

 

 

 

Vulnerability overview/description:

------------------------------------------------------------------------------

It is possible to execute Denial of Service attacks on Apache CXF, exploiting

the fact that the streaming XML parser does not put limits on things like the

number of elements, number of attributes, the nested structure of the document

received, etc. The effects of these attacks can vary from causing high CPU

usage, to causing the JVM to run out of memory.

URL: cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc

 

 

Proof of concept:

------------------------------------------------------------------------------

The following SOAP message will trigger a denial of service:

 

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Body>
	<element>
		<element>
			<element>
				<element>
					[thousands more]
				</element>
			</element>
		</element>
	</element>		
  </soap:Body>
</soap:Envelope>

 

There are various other XML payloads that will also trigger a denial of

service on vulnerable services.

 

 

Vulnerable / tested versions:

------------------------------------------------------------------------------

This vulnerability affects all versions of Apache CXF prior to 2.5.10, 2.6.7

and 2.7.4.

 

 

Vendor contact timeline:

------------------------------------------------------------------------------

2013-02-22: Advisory sent to vendor by Juraj Somorovsky (RUB)

2013-02-22: Advisory acknowledged by vendor

2013-04-19: Vendor confirms vulnerability

2013-05-15: Vendor publishes fixed version

2013-06-27: Vulnerability is disclosed by vendor

2013-07-09: SEC Consult releases security advisory

 

 

Solution:

------------------------------------------------------------------------------

CXF 2.5.x users should upgrade to 2.5.10 or later as soon as possible.

CXF 2.6.x users should upgrade to 2.6.7 or later as soon as possible.

CXF 2.7.x users should upgrade to 2.7.4 or later as soon as possible.

 

Also see the advisory of the vendor:

cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc

 

 

Workaround:

------------------------------------------------------------------------------

No workaround available.

 

 

Advisory URL:

------------------------------------------------------------------------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF Andreas Falkenberg / @2013