cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: [Important] Apache CXF security advisory CVE-2010-2076
Date Thu, 17 Jun 2010 13:17:22 GMT
On Wednesday 16 June 2010 10:00:03 pm Nikolay Elenkov wrote:
> On 2010/06/17 0:29, Daniel Kulp wrote:
> > The Apache CXF team recently discovered a security issue that may allow
> > an attacker to carry out denial of service attacks and to read arbitrary
> > files on the file system of the node where CXF runs. Details of the
> > vulnerability are described in the following advisory:
> > 
> > http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
> 
> I know it is better to upgrade, but just to confirm, are we OK if we are
> using only SOAP binding
> (@BindingType("http://schemas.xmlsoap.org/wsdl/soap/http"))? I did test it
> with the example exploits in the advisory, and it doesn't seem to be
> vulnerable, but could you confirm?

It MAY be vulnerable depending on the Stax parser that's being picked up.   In 
particular, the stuff in section 5.2 of the advisory could be a problem.  For 
example:


<!DOCTYPE Envelope SYSTEM "http://www.google.com/search?q=test">
<soap:Envelope>......</soap:Envelope>

MAY result in the parser calling off to google prior to us being able to send 
the fault back due to the DTD being there.   The parser may process the DTD 
prior to us getting the event that it is there.    I don't really know what 
kind of problems being able to do a "get" on a URL from within Java can 
produce.   Possibly a DOS if they send enough requests to tie up network 
resources.   I don't really know.   That said, it also depends on the parser.   
The parser may or may not process the DTD prior to the event.   I don't really 
know which do and which don't.


I don't believe the stuff in section 5.1 and 5.3 are a problem as we would 
fault out prior to any entities being expanded and data being exposed.  


-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog

Mime
View raw message