You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Daniel Kulp <dk...@apache.org> on 2010/06/16 17:29:13 UTC
[Important] Apache CXF security advisory CVE-2010-2076
The Apache CXF team recently discovered a security issue that may allow an
attacker to carry out denial of service attacks and to read arbitrary files on
the file system of the node where CXF runs. Details of the vulnerability are
described in the following advisory:
http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
This vulnerability may potentially be exploited on any CXF installation that
receives XML messages from untrusted sources. We strongly recommend to all
users who manage this type of installation to follow the instructions in the
above advisory in order to mitigate the security risk caused by this
vulnerability.
-- The Apache CXF team
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by Nikolay Elenkov <ni...@sarion.co.jp>.
On 2010/06/18 22:21, Daniel Kulp wrote:
> On Thursday 17 June 2010 11:17:13 pm Nikolay Elenkov wrote:
>>
>> So I guess we are safe. Anyone that built using Maven should get the same,
>> so it should be mostly OK? Unless of course their appserver ignores the
>> bundled parser and uses the system one for some reason.
>
> Well, I'm still not sure if the section 5.2 vulnerability isn't still an
> issue. In this case, did Woodstox parse the DTD (and thus hit the google
> URL) before returning the DTD event. I don't know. You would need to
> wireshark or something to see if a URL connection is going out to google.
I forgot to say so in my last email, but I was monitoring the test with
Wireshark. There were not outgoing requrests.
> .....
>
> Actually, just tried it. With woodstox as the parser, I don't see any
> outgoing requests. With the parser built into the JDK, I do. (with 2.2.8
> and earlier)
>
> With the new CXF releases, I don't see any outgoing hits with either parser.
>
> Thus, for SOAP endpoints, if you are 100% sure you are using Woodstox, then
> you shouldn't be vulnerable. As you said, by default, our maven deps pull in
> woodstox so hopefully most people are OK. Upgrading is still strongly
> recommended to be sure though.
>
Thanks.
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by Daniel Kulp <dk...@apache.org>.
On Thursday 17 June 2010 11:17:13 pm Nikolay Elenkov wrote:
> Apparently 2.2.7 has the Woodstox parser as a dependency, and for the above
> request that gives a (on Tomcat 5.5)
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <soap:Fault>
> <faultcode>soap:Client</faultcode>
> <faultstring>Error reading XMLStreamReader.</faultstring>
> </soap:Fault>
> </soap:Body>
> </soap:Envelope>
>
> With the cause exception:
>
> Caused by: com.ctc.wstx.exc.WstxParsingException: Received event DTD,
> instead of START_ELEMENT or END_ELEMENT.
>
> So I guess we are safe. Anyone that built using Maven should get the same,
> so it should be mostly OK? Unless of course their appserver ignores the
> bundled parser and uses the system one for some reason.
Well, I'm still not sure if the section 5.2 vulnerability isn't still an
issue. In this case, did Woodstox parse the DTD (and thus hit the google
URL) before returning the DTD event. I don't know. You would need to
wireshark or something to see if a URL connection is going out to google.
.....
Actually, just tried it. With woodstox as the parser, I don't see any
outgoing requests. With the parser built into the JDK, I do. (with 2.2.8
and earlier)
With the new CXF releases, I don't see any outgoing hits with either parser.
Thus, for SOAP endpoints, if you are 100% sure you are using Woodstox, then
you shouldn't be vulnerable. As you said, by default, our maven deps pull in
woodstox so hopefully most people are OK. Upgrading is still strongly
recommended to be sure though.
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by Daniel Kulp <dk...@apache.org>.
On Thursday 17 June 2010 11:17:13 pm Nikolay Elenkov wrote:
> Apparently 2.2.7 has the Woodstox parser as a dependency, and for the above
> request that gives a (on Tomcat 5.5)
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <soap:Fault>
> <faultcode>soap:Client</faultcode>
> <faultstring>Error reading XMLStreamReader.</faultstring>
> </soap:Fault>
> </soap:Body>
> </soap:Envelope>
>
> With the cause exception:
>
> Caused by: com.ctc.wstx.exc.WstxParsingException: Received event DTD,
> instead of START_ELEMENT or END_ELEMENT.
>
> So I guess we are safe. Anyone that built using Maven should get the same,
> so it should be mostly OK? Unless of course their appserver ignores the
> bundled parser and uses the system one for some reason.
Well, I'm still not sure if the section 5.2 vulnerability isn't still an
issue. In this case, did Woodstox parse the DTD (and thus hit the google
URL) before returning the DTD event. I don't know. You would need to
wireshark or something to see if a URL connection is going out to google.
.....
Actually, just tried it. With woodstox as the parser, I don't see any
outgoing requests. With the parser built into the JDK, I do. (with 2.2.8
and earlier)
With the new CXF releases, I don't see any outgoing hits with either parser.
Thus, for SOAP endpoints, if you are 100% sure you are using Woodstox, then
you shouldn't be vulnerable. As you said, by default, our maven deps pull in
woodstox so hopefully most people are OK. Upgrading is still strongly
recommended to be sure though.
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by Nikolay Elenkov <ni...@sarion.co.jp>.
On 2010/06/17 22:17, Daniel Kulp wrote:
> On Wednesday 16 June 2010 10:00:03 pm Nikolay Elenkov wrote:
>> On 2010/06/17 0:29, Daniel Kulp wrote:
>>> The Apache CXF team recently discovered a security issue that may allow
>>> an attacker to carry out denial of service attacks and to read arbitrary
>>> files on the file system of the node where CXF runs. Details of the
>>> vulnerability are described in the following advisory:
>>>
>>> http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
>>
>> I know it is better to upgrade, but just to confirm, are we OK if we are
>> using only SOAP binding
>> (@BindingType("http://schemas.xmlsoap.org/wsdl/soap/http"))? I did test it
>> with the example exploits in the advisory, and it doesn't seem to be
>> vulnerable, but could you confirm?
>
> It MAY be vulnerable depending on the Stax parser that's being picked up. In
> particular, the stuff in section 5.2 of the advisory could be a problem. For
> example:
>
>
> <!DOCTYPE Envelope SYSTEM "http://www.google.com/search?q=test">
> <soap:Envelope>......</soap:Envelope>
>
Apparently 2.2.7 has the Woodstox parser as a dependency, and for the above
request that gives a (on Tomcat 5.5)
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Client</faultcode>
<faultstring>Error reading XMLStreamReader.</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
With the cause exception:
Caused by: com.ctc.wstx.exc.WstxParsingException: Received event DTD, instead of
START_ELEMENT or END_ELEMENT.
So I guess we are safe. Anyone that built using Maven should get the same, so
it should be mostly OK? Unless of course their appserver ignores the bundled
parser and uses the system one for some reason.
>
> I don't believe the stuff in section 5.1 and 5.3 are a problem as we would
> fault out prior to any entities being expanded and data being exposed.
>
>
Thanks for the confirmation.
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by Nikolay Elenkov <ni...@sarion.co.jp>.
On 2010/06/17 22:17, Daniel Kulp wrote:
> On Wednesday 16 June 2010 10:00:03 pm Nikolay Elenkov wrote:
>> On 2010/06/17 0:29, Daniel Kulp wrote:
>>> The Apache CXF team recently discovered a security issue that may allow
>>> an attacker to carry out denial of service attacks and to read arbitrary
>>> files on the file system of the node where CXF runs. Details of the
>>> vulnerability are described in the following advisory:
>>>
>>> http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
>>
>> I know it is better to upgrade, but just to confirm, are we OK if we are
>> using only SOAP binding
>> (@BindingType("http://schemas.xmlsoap.org/wsdl/soap/http"))? I did test it
>> with the example exploits in the advisory, and it doesn't seem to be
>> vulnerable, but could you confirm?
>
> It MAY be vulnerable depending on the Stax parser that's being picked up. In
> particular, the stuff in section 5.2 of the advisory could be a problem. For
> example:
>
>
> <!DOCTYPE Envelope SYSTEM "http://www.google.com/search?q=test">
> <soap:Envelope>......</soap:Envelope>
>
Apparently 2.2.7 has the Woodstox parser as a dependency, and for the above
request that gives a (on Tomcat 5.5)
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Client</faultcode>
<faultstring>Error reading XMLStreamReader.</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
With the cause exception:
Caused by: com.ctc.wstx.exc.WstxParsingException: Received event DTD, instead of
START_ELEMENT or END_ELEMENT.
So I guess we are safe. Anyone that built using Maven should get the same, so
it should be mostly OK? Unless of course their appserver ignores the bundled
parser and uses the system one for some reason.
>
> I don't believe the stuff in section 5.1 and 5.3 are a problem as we would
> fault out prior to any entities being expanded and data being exposed.
>
>
Thanks for the confirmation.
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by Daniel Kulp <dk...@apache.org>.
On Wednesday 16 June 2010 10:00:03 pm Nikolay Elenkov wrote:
> On 2010/06/17 0:29, Daniel Kulp wrote:
> > The Apache CXF team recently discovered a security issue that may allow
> > an attacker to carry out denial of service attacks and to read arbitrary
> > files on the file system of the node where CXF runs. Details of the
> > vulnerability are described in the following advisory:
> >
> > http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
>
> I know it is better to upgrade, but just to confirm, are we OK if we are
> using only SOAP binding
> (@BindingType("http://schemas.xmlsoap.org/wsdl/soap/http"))? I did test it
> with the example exploits in the advisory, and it doesn't seem to be
> vulnerable, but could you confirm?
It MAY be vulnerable depending on the Stax parser that's being picked up. In
particular, the stuff in section 5.2 of the advisory could be a problem. For
example:
<!DOCTYPE Envelope SYSTEM "http://www.google.com/search?q=test">
<soap:Envelope>......</soap:Envelope>
MAY result in the parser calling off to google prior to us being able to send
the fault back due to the DTD being there. The parser may process the DTD
prior to us getting the event that it is there. I don't really know what
kind of problems being able to do a "get" on a URL from within Java can
produce. Possibly a DOS if they send enough requests to tie up network
resources. I don't really know. That said, it also depends on the parser.
The parser may or may not process the DTD prior to the event. I don't really
know which do and which don't.
I don't believe the stuff in section 5.1 and 5.3 are a problem as we would
fault out prior to any entities being expanded and data being exposed.
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by Daniel Kulp <dk...@apache.org>.
On Wednesday 16 June 2010 10:00:03 pm Nikolay Elenkov wrote:
> On 2010/06/17 0:29, Daniel Kulp wrote:
> > The Apache CXF team recently discovered a security issue that may allow
> > an attacker to carry out denial of service attacks and to read arbitrary
> > files on the file system of the node where CXF runs. Details of the
> > vulnerability are described in the following advisory:
> >
> > http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
>
> I know it is better to upgrade, but just to confirm, are we OK if we are
> using only SOAP binding
> (@BindingType("http://schemas.xmlsoap.org/wsdl/soap/http"))? I did test it
> with the example exploits in the advisory, and it doesn't seem to be
> vulnerable, but could you confirm?
It MAY be vulnerable depending on the Stax parser that's being picked up. In
particular, the stuff in section 5.2 of the advisory could be a problem. For
example:
<!DOCTYPE Envelope SYSTEM "http://www.google.com/search?q=test">
<soap:Envelope>......</soap:Envelope>
MAY result in the parser calling off to google prior to us being able to send
the fault back due to the DTD being there. The parser may process the DTD
prior to us getting the event that it is there. I don't really know what
kind of problems being able to do a "get" on a URL from within Java can
produce. Possibly a DOS if they send enough requests to tie up network
resources. I don't really know. That said, it also depends on the parser.
The parser may or may not process the DTD prior to the event. I don't really
know which do and which don't.
I don't believe the stuff in section 5.1 and 5.3 are a problem as we would
fault out prior to any entities being expanded and data being exposed.
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by Nikolay Elenkov <ni...@sarion.co.jp>.
On 2010/06/17 0:29, Daniel Kulp wrote:
>
>
> The Apache CXF team recently discovered a security issue that may allow an
> attacker to carry out denial of service attacks and to read arbitrary files on
> the file system of the node where CXF runs. Details of the vulnerability are
> described in the following advisory:
>
> http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
>
I know it is better to upgrade, but just to confirm, are we OK if we are using
only SOAP binding (@BindingType("http://schemas.xmlsoap.org/wsdl/soap/http"))? I
did test it with the example exploits in the advisory, and it doesn't seem to be
vulnerable, but could you confirm?
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by Daniel Kulp <dk...@apache.org>.
On Wednesday 07 July 2010 3:35:45 pm FlorianK wrote:
> Hi,
>
> is there any reason why the advisory cannot be found on cve.mitre.org or if
> we look it up it has no details:
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2076
>
> Florian
The info was resubmitted to mitre. Hopefully it will get updated in a day or
two.
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by FlorianK <fl...@yahoo.com>.
Hi,
is there any reason why the advisory cannot be found on cve.mitre.org or if
we look it up it has no details:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2076
Florian
--
View this message in context: http://cxf.547215.n5.nabble.com/Important-Apache-CXF-security-advisory-CVE-2010-2076-tp577160p1044821.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: [Important] Apache CXF security advisory CVE-2010-2076
Posted by Nikolay Elenkov <ni...@sarion.co.jp>.
On 2010/06/17 0:29, Daniel Kulp wrote:
>
>
> The Apache CXF team recently discovered a security issue that may allow an
> attacker to carry out denial of service attacks and to read arbitrary files on
> the file system of the node where CXF runs. Details of the vulnerability are
> described in the following advisory:
>
> http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
>
I know it is better to upgrade, but just to confirm, are we OK if we are using
only SOAP binding (@BindingType("http://schemas.xmlsoap.org/wsdl/soap/http"))? I
did test it with the example exploits in the advisory, and it doesn't seem to be
vulnerable, but could you confirm?
Re: Generating JavaScript with standalone server
Posted by Daniel Kulp <dk...@apache.org>.
Two questions:
1) Do you have a spring config or something that is used to setup the bus or
are you relying on the default bus loading/configuration?
2) Are you using the bundle jar? If not, is cxf-rt-javascript-2.2.9.jar on
the classpath?
Dan
On Wednesday 16 June 2010 12:31:09 pm Ian Upright wrote:
> Hello,
>
> I start my service with something like this:
>
> MYWebService restServiceImpl = new MYWebService();
> ServerFactoryBean svrFactory = new ServerFactoryBean();
> svrFactory.setServiceClass(MYWebService.class);
> svrFactory.setAddress("http://localhost:9000/myapi");
> svrFactory.setServiceBean(restServiceImpl);
> svrFactory.create();
>
> If I do a query like:
>
> http://localhost:9000/myapi?wsdl
>
> it works perfectly..
>
> However, if I do:
>
> http://localhost:9000/myapi?js
>
> It does not.
>
> How do I get the standalone service to generate Javascript?
>
> Also, since I'm starting the server behind a proxy, I want to change the
> external address that shows up in the wsdl file to something other than
> localhost:9000. How do I do that? I can't seem to find either of these
> answers in the docs.
>
> Thanks, Ian
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Generating JavaScript with standalone server
Posted by Ian Upright <ia...@upright.net>.
Hello,
I start my service with something like this:
MYWebService restServiceImpl = new MYWebService();
ServerFactoryBean svrFactory = new ServerFactoryBean();
svrFactory.setServiceClass(MYWebService.class);
svrFactory.setAddress("http://localhost:9000/myapi");
svrFactory.setServiceBean(restServiceImpl);
svrFactory.create();
If I do a query like:
http://localhost:9000/myapi?wsdl
it works perfectly..
However, if I do:
http://localhost:9000/myapi?js
It does not.
How do I get the standalone service to generate Javascript?
Also, since I'm starting the server behind a proxy, I want to change the
external address that shows up in the wsdl file to something other than
localhost:9000. How do I do that? I can't seem to find either of these
answers in the docs.
Thanks, Ian