Apache CXF prior to 2.5.10, 2.6.7 and 2.7.4 - DoS PoC

:
10.07.2013
:
Apache CXF prior to 2.5.10, 2.6.7, 2.7.4
:

SEC Consult Vulnerability Lab Security Advisory < 20130709-0 >
=======================================================================
title: Denial of service vulnerability
product: Apache CXF
vulnerable version: Apache CXF prior to 2.5.10, 2.6.7 and 2.7.4
fixed version: Apache CXF 2.5.10, 2.6.7 and 2.7.4 onwards
CVE number: CVE-2013-2160
impact: Critical
homepage: http://cxf.apache.org/
found: 2013-02-01
by: Andreas Falkenberg, SEC Consult Vulnerability Lab
Christian Mainka, Ruhr-University Bochum
Juraj Somorovsky, Ruhr-University Bochum
Joerg Schwenk, Ruhr-University Bochum
https://www.sec-consult.com
=======================================================================

Vendor/product description:
------------------------------------------------------------------------------
"Apache CXF is an open source services framework. CXF helps you build and
develop services using frontend programming APIs, like JAX-WS and JAX-RS.
These services can speak a variety of protocols such as SOAP, XML/HTTP,
RESTful HTTP, or CORBA and work over a variety of transports such as HTTP,
JMS or JBI."

URL: http://cxf.apache.org/


Business recommendation:
------------------------------------------------------------------------------
Various denial of service attack vectors were found within Apache CXF.
The recommendation of SEC Consult is to immediately perform an update.



Vulnerability overview/description:
------------------------------------------------------------------------------
It is possible to execute Denial of Service attacks on Apache CXF, exploiting
the fact that the streaming XML parser does not put limits on things like the
number of elements, number of attributes, the nested structure of the document
received, etc. The effects of these attacks can vary from causing high CPU
usage, to causing the JVM to run out of memory.
URL: http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc


Proof of concept:
------------------------------------------------------------------------------
The following SOAP message will trigger a denial of service:

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
<soap:Body>
<element>
<element>
<element>
<element>
[thousands more]
</element>
</element>
</element>
</element>
</soap:Body>
</soap:Envelope>

There are various other XML payloads that will also trigger a denial of
service on vulnerable services.


Vulnerable / tested versions:
------------------------------------------------------------------------------
This vulnerability affects all versions of Apache CXF prior to 2.5.10, 2.6.7
and 2.7.4.


Vendor contact timeline:
------------------------------------------------------------------------------
2013-02-22: Advisory sent to vendor by Juraj Somorovsky (RUB)
2013-02-22: Advisory acknowledged by vendor
2013-04-19: Vendor confirms vulnerability
2013-05-15: Vendor publishes fixed version
2013-06-27: Vulnerability is disclosed by vendor
2013-07-09: SEC Consult releases security advisory


Solution:
------------------------------------------------------------------------------
CXF 2.5.x users should upgrade to 2.5.10 or later as soon as possible.
CXF 2.6.x users should upgrade to 2.6.7 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.4 or later as soon as possible.

Also see the advisory of the vendor:
http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc


Workaround:
------------------------------------------------------------------------------
No workaround available.


Advisory URL:
------------------------------------------------------------------------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Andreas Falkenberg / @2013