Return-Path: X-Original-To: apmail-announce-archive@www.apache.org Delivered-To: apmail-announce-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AD027CF82 for ; Fri, 6 Jul 2012 09:28:43 +0000 (UTC) Received: (qmail 30453 invoked by uid 500); 6 Jul 2012 09:28:32 -0000 Delivered-To: apmail-announce-archive@apache.org Received: (qmail 30022 invoked by uid 500); 6 Jul 2012 09:28:31 -0000 Mailing-List: contact announce-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list announce@apache.org Delivered-To: moderator for announce@apache.org Received: (qmail 91014 invoked by uid 99); 6 Jul 2012 09:12:36 -0000 MIME-Version: 1.0 Date: Fri, 6 Jul 2012 11:12:34 +0200 Message-ID: Subject: [SECURITY] CVE-2012-2138 Apache Sling denial of service vulnerability From: Bertrand Delacretaz To: users , dev , security@apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, announce@apache.org, security@sling.apache.org Content-Type: text/plain; charset=UTF-8 CVE-2012-2138 : Apache Sling denial of service vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: org.apache.sling.servlets.post bundle up to 2.1.0 Description: The @CopyFrom operation of the Sling POST servlet allows for copying a parent node to one of its descendant nodes, creating an infinite loop that ultimately results in denial of service, once memory and/or storage resources are exhausted. Mitigation: Users should upgrade to version 2.1.2 of the org.apache.sling.servlets.post bundle [1], or apply the Sling patch of revision 1352865 [2]. Example: curl -u admin:pwd -d "" "http://localhost:8888/content/foo/?./%40CopyFrom=../" Credit: This issue was discovered by IO Active, working for Adobe. References: [1] http://sling.apache.org/site/downloads.cgi [2] http://svn.apache.org/viewvc?view=revision&revision=1352865 https://issues.apache.org/jira/browse/SLING-2517