Multiple denial of service flaws were found in the way StAX parser implementation of Apache CXF, an open-source web services framework, performed processing of certain XML files. If a web service application utilized the services of the StAX parser, a remote attacker could provide a specially-crafted XML file that, when processed by the application would lead to excessive system resources (CPU cycles, memory) consumption by that application. References: [1] http://jira.codehaus.org/browse/WSTX-287 [2] http://jira.codehaus.org/browse/WSTX-285
External References: http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc
Upstream patch (picks up Woodstox 4.2.0 as the streaming XML parser): http://svn.apache.org/viewvc?view=revision&revision=1460428
This issue affects the versions of the cxf package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Regarding the jbossws-cxf packages in Fedora I am not sure if they are affected by this or not (someone more familiar with the jbossws-cxf code please advise). I will file Fedora child bugs for cxf and jbossws-cxf packages, once jbossws-cxf doubt is cleared.
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 979086]
This issue has been addressed in following products: Fuse ESB Enterprise 7.1.0 Via RHSA-2013:1028 https://rhn.redhat.com/errata/RHSA-2013-1028.html
cxf-2.6.9-1.fc18, jacorb-2.3.1-8.fc18, wss4j-1.6.10-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
cxf-2.6.9-1.fc19, jacorb-2.3.1-8.fc19, wss4j-1.6.10-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat JBoss Fuse 6.0.0 Via RHSA-2013:1185 https://rhn.redhat.com/errata/RHSA-2013-1185.html
This issue has been addressed in following products: Red Hat JBoss Portal 6.1.0 Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html