cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-6479) Denial of Service: Regular Expression in StringUtils
Date Tue, 30 Jun 2015 08:32:04 GMT
Donald Kwakkel created CXF-6479:
-----------------------------------

             Summary: Denial of Service: Regular Expression in StringUtils
                 Key: CXF-6479
                 URL: https://issues.apache.org/jira/browse/CXF-6479
             Project: CXF
          Issue Type: Bug
          Components: Core
    Affects Versions: 3.1.1
            Reporter: Donald Kwakkel


Untrusted data is passed to the application and used as a regular expression.  This can cause
the thread to over-consume CPU resources.

org.apache.cxf.common.util.StringUtils    
{code}
            String separator = getSeparator();
            return StringUtils.split(c, separator);
{code}
Where separator is provided by CacheControlHeader:
{code}
Object sepProperty = message.getContextualProperty(CACHE_CONTROL_SEPARATOR_PROPERTY);
{code}

There is a vulnerability in implementations of regular expression evaluators and related methods
that can cause the thread to hang when evaluating repeating and alternating overlapping of
nested and repeated regex groups. This defect can be used to execute a DOS (Denial of Service)
attack.
Example:
    
        (e+)+
        ([a-zA-Z]+)*
        
        There are no known regular expression implementations which are immune to this vulnerability.
 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message