You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2021/04/07 08:47:00 UTC

[jira] [Commented] (TOMEE-2996) Upgrade CXF to 3.3.10 / 3.4.3 in TomEE

    [ https://issues.apache.org/jira/browse/TOMEE-2996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17316125#comment-17316125 ] 

Richard Zowalla commented on TOMEE-2996:
----------------------------------------

Thanks for reporting it.

This is a duplicate of https://issues.apache.org/jira/browse/TOMEE-2987 - it was fixed with [https://github.com/apache/tomee/pull/777] 

> Upgrade CXF to 3.3.10 / 3.4.3 in TomEE
> --------------------------------------
>
>                 Key: TOMEE-2996
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2996
>             Project: TomEE
>          Issue Type: Dependency upgrade
>          Components: TomEE Core Server
>    Affects Versions: 8.0.6
>            Reporter: Nikhil
>            Priority: Major
>
> Apache Tomee version 8.0.6 contains vulnerable version of cxf libraries (I.e. *cxf-core-3.3.8.jar*).
>  
> _See Apache CXF - *CVE-2021-22696* for more details._
>  
> h1. Vulnerability Details
> h2. CVE-2021-22696
> *Vulnerability Published:* 2021-04-02 06:15 EDT
> *Vulnerability Updated:* 2021-04-02 14:15 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in issue comments)
> *Summary*: CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
> *Solution*: N/A
> *Workaround*: N/A
> h2. BDSA-2021-0853
> *Affected Component(s):* Apache CXF
> *Vulnerability Published:* 2021-04-02 11:35 EDT
> *Vulnerability Updated:* 2021-04-02 11:35 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF0000}7.5{color} (base)
> *Summary*: Apache CXF is vulnerable to distributed denial-of-service (DDoS) via passing *OAuth 2* parameters via a *JWT* token. An attacker could exploit this in order to cause the authorization server to crash.
> *Solution*: Fixed in [*3.4.3*|https://github.com/apache/cxf/releases/tag/cxf-3.4.3] by [this|https://github.com/apache/cxf/commit/7d5d2c7a019dd1e1d0566daf9f1ed5b7b0dd66b7] and [this|https://github.com/apache/cxf/commit/aee3bf291a7387cc492aa0dbdb0fb2af96687994] commit. Fixed in [*3.3.10*|https://github.com/apache/cxf/releases/tag/cxf-3.3.10] by [this|https://github.com/apache/cxf/commit/69953c8320629d9e44bee3419fb7b634d04a43da] and [this|https://github.com/apache/cxf/commit/10cb20adba95dad3dd37317059a9230e155401ca] commit.
> The latest stable releases are available [here|https://github.com/apache/cxf/releases].
> *Workaround*: N/A
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)