If a SOAP message generates a fault on parsing or processing, but is not fully consumed, it is possible to cause the server to read all of the remaining data and to save it to a temp file. By dynamically creating data, you can cause the entire /tmp directory to fill. Affected versions: Apach CXF 2.6.x < 2.6.14 Apach CXF 2.7.x < 2.7.11 References: http://cxf.apache.org/security-advisories.data/CVE-2014-0110.txt.asc Upstream fix: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=8f4799b5bc5ed0fe62d6e018c45d960e3652373e
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1095550]
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.2.4 Via RHSA-2014:0797 https://rhn.redhat.com/errata/RHSA-2014-0797.html
This issue has been addressed in following products: JBEAP 6.2 for RHEL 5 Via RHSA-2014:0798 https://rhn.redhat.com/errata/RHSA-2014-0798.html
This issue has been addressed in following products: JBEAP 6.2 for RHEL 6 Via RHSA-2014:0799 https://rhn.redhat.com/errata/RHSA-2014-0799.html
IssueDescription: It was found that when a large invalid SOAP message was processed by Apache CXF, it could be saved to a temporary file in the /tmp directory. A remote attacker could send a specially crafted SOAP message that, when processed by an application using Apache CXF, would use an excessive amount of disk space, possibly causing a denial of service.
This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.1.0 Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html