You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Martin (Jira)" <ji...@apache.org> on 2021/04/08 09:29:00 UTC

[jira] [Created] (CXF-8453) DOS vulnerability in bearer token parsing

Martin created CXF-8453:
---------------------------

             Summary: DOS vulnerability in bearer token parsing
                 Key: CXF-8453
                 URL: https://issues.apache.org/jira/browse/CXF-8453
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS Security
    Affects Versions: 3.4.3
            Reporter: Martin
         Attachments: cxf-bearer-dos.zip, stacktrace.txt

When a specific invalid bearer token is passed to the OAuthRequestFilter for validation, it gets stuck in an endless JSON parsing loop, with the given thread consuming the CPU indefinitely.

It seems to me that the problem is maybe on multiple levels, the first being tha CXF decodes invalid Base64 without problems, and then tries to parse the invalid result as JSON. I obtained the invalid token by incorrectly copying the header value from Firefox network tab, which shortens long header values with "…" character - see the invalid token:

{{eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyZ3RYd0FMb2h6ekNYTkFaYjBLbGFDVUtnQ01xMi0wUlFiNkVRYWFSeGE0In0.eyJleHAiOjE2MTc3MTA3MDgsImlhdCI6MTYxNzcxMDQwOCwiYXV0aF90aW1lIjoxNjE3NzEwNDA2LCJqdGkiOiJlMjEzZjY2Ni00Y2ZjLTQ4ZWItOTcxZi03NzEyMzA5YWYyZjYiLCJpc3MiOiJodHRwczovL3BnZGV2LnNlZmlyYS5jei9hdXRoL3JlYWxtcy9kZWZhdWx0IiwiYXVkIjpbIm9iZWxpc2stc3AtYXBpIiwiYWNjb3VudCJdLCJzdWIiOiI3NDYxYWUzNy05ODAxLTQ2MGQtODkwYS1lMTY0ZjUyM2Y4NzIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvYmVsaXNrLXNwLWd1aSIsIm5vbmNlIjoiYTIwZmM1ZTUtZTVmZ…hbCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiS2F6aXN2xJt0IE9zbcO9IiwiZmFtaWx5X25hbWUiOiJ6IEJvxb7DrSB2xa9sZSBrcsOhbCIsImVtYWlsIjoidGVzdEBzZWZpcmEuY3p4In0.oyOijY0OluxSzqsaZtTwH3_kl327jCziXQcFRpsoPpCqTXbwQmn4s4_75ov83iwVVi_tohaVniof_Y80IaMz62jzzJvr5HZNzFPjXbHMO4W4Wgp2HwtRJBDIIfpMvhyR6OYQfSmNl7Ie-1X5ij7PTeMO5qUH_U725NdzSLwz3A8DC7JAgpWdUJxJHbAUYtqoyOHHM8IYpzq0yGU0Zq3LS7EqN-mH3s4OqzTgcgXL7T7bpybTyjOF7e3GLQt9tn9E9Ch3ZPP9MtsVRQ8sJZRo1q-kZBQDSPkiCw0o-pOeVxzXy5LvSkFPLTp73ab2H0V08xKzQSKpjYOx9XKc8yzqkA}}

I attach a minimal Maven project that I put together which can reproduce the behavior by invoking this cURL request:

{{curl -v -H "Authorization: Bearer [token above]" [http://localhost/services/myapp/hell|http://localhost:8888/services/myapp/helltoken]o}}

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)