cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (CXF-6479) Denial of Service: Regular Expression in StringUtils
Date Fri, 14 Oct 2016 14:28:22 GMT

     [ https://issues.apache.org/jira/browse/CXF-6479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed CXF-6479.
------------------------------------

> Denial of Service: Regular Expression in StringUtils
> ----------------------------------------------------
>
>                 Key: CXF-6479
>                 URL: https://issues.apache.org/jira/browse/CXF-6479
>             Project: CXF
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 3.1.1
>            Reporter: Donald Kwakkel
>            Assignee: Sergey Beryozkin
>             Fix For: 3.0.6, 2.7.17, 3.1.2
>
>
> Untrusted data is passed to the application and used as a regular expression.  This can
cause the thread to over-consume CPU resources.
> org.apache.cxf.common.util.StringUtils    
> {code}
>             String separator = getSeparator();
>             return StringUtils.split(c, separator);
> {code}
> Where separator is provided by CacheControlHeader:
> {code}
> Object sepProperty = message.getContextualProperty(CACHE_CONTROL_SEPARATOR_PROPERTY);
> {code}
> There is a vulnerability in implementations of regular expression evaluators and related
methods that can cause the thread to hang when evaluating repeating and alternating overlapping
of nested and repeated regex groups. This defect can be used to execute a DOS (Denial of Service)
attack.
> Example:
>     
>         (e+)+
>         ([a-zA-Z]+)*
>         
>         There are no known regular expression implementations which are immune to this
vulnerability.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message