cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikolay Elenkov <n...@sarion.co.jp>
Subject Re: [Important] Apache CXF security advisory CVE-2010-2076
Date Fri, 18 Jun 2010 03:17:13 GMT
On 2010/06/17 22:17, Daniel Kulp wrote:
> On Wednesday 16 June 2010 10:00:03 pm Nikolay Elenkov wrote:
>> On 2010/06/17 0:29, Daniel Kulp wrote:
>>> The Apache CXF team recently discovered a security issue that may allow
>>> an attacker to carry out denial of service attacks and to read arbitrary
>>> files on the file system of the node where CXF runs. Details of the
>>> vulnerability are described in the following advisory:
>>>
>>> http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
>>
>> I know it is better to upgrade, but just to confirm, are we OK if we are
>> using only SOAP binding
>> (@BindingType("http://schemas.xmlsoap.org/wsdl/soap/http"))? I did test it
>> with the example exploits in the advisory, and it doesn't seem to be
>> vulnerable, but could you confirm?
> 
> It MAY be vulnerable depending on the Stax parser that's being picked up.   In 
> particular, the stuff in section 5.2 of the advisory could be a problem.  For 
> example:
> 
> 
> <!DOCTYPE Envelope SYSTEM "http://www.google.com/search?q=test">
> <soap:Envelope>......</soap:Envelope>
> 

Apparently 2.2.7 has the Woodstox parser as a dependency, and for the above
request that gives a (on Tomcat 5.5)

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
  <faultcode>soap:Client</faultcode>
  <faultstring>Error reading XMLStreamReader.</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>

With the cause exception:

Caused by: com.ctc.wstx.exc.WstxParsingException: Received event DTD, instead of
START_ELEMENT or END_ELEMENT.

So I guess we are safe. Anyone that built using Maven should get the same, so
it should be mostly OK? Unless of course their appserver ignores the bundled
parser and uses the system one for some reason.

> 
> I don't believe the stuff in section 5.1 and 5.3 are a problem as we would 
> fault out prior to any entities being expanded and data being exposed.  
> 
> 

Thanks for the confirmation.

Mime
View raw message