1515976 – (CVE-2017-12624) CVE-2017-12624 cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services

Bug 1515976 (CVE-2017-12624) - CVE-2017-12624 cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services

Summary: CVE-2017-12624 cxf: Improper size validation in message attachment header for...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-12624
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1515977
Blocks:	1515996
TreeView+	depends on / blocked

Reported:	2017-11-21 17:38 UTC by Pedro Sampaio
Modified:	2020-12-15 15:29 UTC (History)
CC List:	55 users (show)
Fixed In Version:	cxf 3.1.14, cxf 3.2.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-08 03:31:25 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2423	None	None	None	2018-08-15 11:30:55 UTC
Red Hat Product Errata	RHSA-2018:2424	None	None	None	2018-08-15 11:32:53 UTC
Red Hat Product Errata	RHSA-2018:2425	None	None	None	2018-08-15 11:20:33 UTC
Red Hat Product Errata	RHSA-2018:2428	None	None	None	2018-08-15 11:29:40 UTC

Description Pedro Sampaio 2017-11-21 17:38:43 UTC

A flaw was found in Apache CXF prior to 3.2.1 and 3.1.14. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack.

Upstream patch:

https://github.com/apache/cxf/commit/8bd915bfd7735c248ad660059c6b6ad26cdbcdf6

References:

http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc

Comment 1 Pedro Sampaio 2017-11-21 17:45:06 UTC

Created cxf tracking bugs for this issue:

Affects: fedora-all [bug 1515977]

Comment 13 errata-xmlrpc 2018-08-15 11:20:15 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2425

Comment 14 errata-xmlrpc 2018-08-15 11:29:21 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.2.4 zip

Via RHSA-2018:2428 https://access.redhat.com/errata/RHSA-2018:2428

Comment 15 errata-xmlrpc 2018-08-15 11:30:38 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2423

Comment 16 errata-xmlrpc 2018-08-15 11:32:33 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2424

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alazarot
anstephe
bdawidow
bmaxwell
cdewolf
chazlett
csutherl
darran.lofthouse
dimitris
dosoudil
drieden
etirelli
fgavrilo
gvarsami
ibek
jawilson
jcoleman
jolee
jondruse
jshepherd
kconner
kverlaen
ldimaggi
lef
lgao
loleary
lpetrovi
myarboro
nwallace
paradhya
pdrozd
pgier
pjurak
ppalaga
psakar
pslavice
psotirop
puntogil
rnetuka
rrajasek
rstancel
rsvoboda
rsynek
rwagner
rzhang
sdaley
spinder
sthorger
tcunning
theute
tkirby
twalsh
vhalbert
vtunka