You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Martin (Jira)" <ji...@apache.org> on 2021/04/08 09:29:00 UTC
[jira] [Created] (CXF-8453) DOS vulnerability in bearer token
parsing
Martin created CXF-8453:
---------------------------
Summary: DOS vulnerability in bearer token parsing
Key: CXF-8453
URL: https://issues.apache.org/jira/browse/CXF-8453
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 3.4.3
Reporter: Martin
Attachments: cxf-bearer-dos.zip, stacktrace.txt
When a specific invalid bearer token is passed to the OAuthRequestFilter for validation, it gets stuck in an endless JSON parsing loop, with the given thread consuming the CPU indefinitely.
It seems to me that the problem is maybe on multiple levels, the first being tha CXF decodes invalid Base64 without problems, and then tries to parse the invalid result as JSON. I obtained the invalid token by incorrectly copying the header value from Firefox network tab, which shortens long header values with "…" character - see the invalid token:
{{eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyZ3RYd0FMb2h6ekNYTkFaYjBLbGFDVUtnQ01xMi0wUlFiNkVRYWFSeGE0In0.eyJleHAiOjE2MTc3MTA3MDgsImlhdCI6MTYxNzcxMDQwOCwiYXV0aF90aW1lIjoxNjE3NzEwNDA2LCJqdGkiOiJlMjEzZjY2Ni00Y2ZjLTQ4ZWItOTcxZi03NzEyMzA5YWYyZjYiLCJpc3MiOiJodHRwczovL3BnZGV2LnNlZmlyYS5jei9hdXRoL3JlYWxtcy9kZWZhdWx0IiwiYXVkIjpbIm9iZWxpc2stc3AtYXBpIiwiYWNjb3VudCJdLCJzdWIiOiI3NDYxYWUzNy05ODAxLTQ2MGQtODkwYS1lMTY0ZjUyM2Y4NzIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvYmVsaXNrLXNwLWd1aSIsIm5vbmNlIjoiYTIwZmM1ZTUtZTVmZ…hbCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiS2F6aXN2xJt0IE9zbcO9IiwiZmFtaWx5X25hbWUiOiJ6IEJvxb7DrSB2xa9sZSBrcsOhbCIsImVtYWlsIjoidGVzdEBzZWZpcmEuY3p4In0.oyOijY0OluxSzqsaZtTwH3_kl327jCziXQcFRpsoPpCqTXbwQmn4s4_75ov83iwVVi_tohaVniof_Y80IaMz62jzzJvr5HZNzFPjXbHMO4W4Wgp2HwtRJBDIIfpMvhyR6OYQfSmNl7Ie-1X5ij7PTeMO5qUH_U725NdzSLwz3A8DC7JAgpWdUJxJHbAUYtqoyOHHM8IYpzq0yGU0Zq3LS7EqN-mH3s4OqzTgcgXL7T7bpybTyjOF7e3GLQt9tn9E9Ch3ZPP9MtsVRQ8sJZRo1q-kZBQDSPkiCw0o-pOeVxzXy5LvSkFPLTp73ab2H0V08xKzQSKpjYOx9XKc8yzqkA}}
I attach a minimal Maven project that I put together which can reproduce the behavior by invoking this cURL request:
{{curl -v -H "Authorization: Bearer [token above]" [http://localhost/services/myapp/hell|http://localhost:8888/services/myapp/helltoken]o}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)