A flaw was found in Apache CXF prior to 3.2.1 and 3.1.14. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. Upstream patch: https://github.com/apache/cxf/commit/8bd915bfd7735c248ad660059c6b6ad26cdbcdf6 References: http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1515977]
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2425
This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.4 zip Via RHSA-2018:2428 https://access.redhat.com/errata/RHSA-2018:2428
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2423
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2424