You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2021/06/11 06:15:00 UTC

[jira] [Commented] (CXF-8454) DOS vulnerability in bearer token parsing

    [ https://issues.apache.org/jira/browse/CXF-8454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17361440#comment-17361440 ] 

Colm O hEigeartaigh commented on CXF-8454:
------------------------------------------

[~Svorc] - Do you want a credit in the advisory for this? If so please let me know ASAP the full text.

> DOS vulnerability in bearer token parsing
> -----------------------------------------
>
>                 Key: CXF-8454
>                 URL: https://issues.apache.org/jira/browse/CXF-8454
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.4.3
>            Reporter: Martin
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.4.4, 3.3.11
>
>         Attachments: cxf-bearer-dos.zip, stacktrace.txt
>
>
> I stumbled upon this vulnerability when I accidentaly copied the following shortened Base64 bearer token from Firefox console (notice the "…" character):
> {{eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyZ3RYd0FMb2h6ekNYTkFaYjBLbGFDVUtnQ01xMi0wUlFiNkVRYWFSeGE0In0.eyJleHAiOjE2MTc3MTA3MDgsImlhdCI6MTYxNzcxMDQwOCwiYXV0aF90aW1lIjoxNjE3NzEwNDA2LCJqdGkiOiJlMjEzZjY2Ni00Y2ZjLTQ4ZWItOTcxZi03NzEyMzA5YWYyZjYiLCJpc3MiOiJodHRwczovL3BnZGV2LnNlZmlyYS5jei9hdXRoL3JlYWxtcy9kZWZhdWx0IiwiYXVkIjpbIm9iZWxpc2stc3AtYXBpIiwiYWNjb3VudCJdLCJzdWIiOiI3NDYxYWUzNy05ODAxLTQ2MGQtODkwYS1lMTY0ZjUyM2Y4NzIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvYmVsaXNrLXNwLWd1aSIsIm5vbmNlIjoiYTIwZmM1ZTUtZTVmZ…hbCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiS2F6aXN2xJt0IE9zbcO9IiwiZmFtaWx5X25hbWUiOiJ6IEJvxb7DrSB2xa9sZSBrcsOhbCIsImVtYWlsIjoidGVzdEBzZWZpcmEuY3p4In0.oyOijY0OluxSzqsaZtTwH3_kl327jCziXQcFRpsoPpCqTXbwQmn4s4_75ov83iwVVi_tohaVniof_Y80IaMz62jzzJvr5HZNzFPjXbHMO4W4Wgp2HwtRJBDIIfpMvhyR6OYQfSmNl7Ie-1X5ij7PTeMO5qUH_U725NdzSLwz3A8DC7JAgpWdUJxJHbAUYtqoyOHHM8IYpzq0yGU0Zq3LS7EqN-mH3s4OqzTgcgXL7T7bpybTyjOF7e3GLQt9tn9E9Ch3ZPP9MtsVRQ8sJZRo1q-kZBQDSPkiCw0o-pOeVxzXy5LvSkFPLTp73ab2H0V08xKzQSKpjYOx9XKc8yzqkA}}
> Invoking a service secured by OAuthRequestFilter results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This seems to be a result of lenient parsing of both Base64 and JSON. I put together a minimal Maven project which can be used to reproduce the behavior by invoking the following cURL:
> {{curl -v -H "Authorization: Bearer [token above]" [http://localhost:8080/services/myapp/hello]}}
> I also attach the stack trace of the thread getting stuck.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)