You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Martin (Jira)" <ji...@apache.org> on 2021/04/08 09:37:00 UTC

[jira] [Closed] (CXF-8453) DOS vulnerability in bearer token parsing

     [ https://issues.apache.org/jira/browse/CXF-8453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin closed CXF-8453.
-----------------------
    Resolution: Duplicate

> DOS vulnerability in bearer token parsing
> -----------------------------------------
>
>                 Key: CXF-8453
>                 URL: https://issues.apache.org/jira/browse/CXF-8453
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.4.3
>            Reporter: Martin
>            Priority: Major
>         Attachments: cxf-bearer-dos.zip, stacktrace.txt
>
>
> When a specific invalid bearer token is passed to the OAuthRequestFilter for validation, it gets stuck in an endless JSON parsing loop, with the given thread consuming the CPU indefinitely.
> It seems to me that the problem is maybe on multiple levels, the first being tha CXF decodes invalid Base64 without problems, and then tries to parse the invalid result as JSON. I obtained the invalid token by incorrectly copying the header value from Firefox network tab, which shortens long header values with "…" character - see the invalid token:
> {{eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyZ3RYd0FMb2h6ekNYTkFaYjBLbGFDVUtnQ01xMi0wUlFiNkVRYWFSeGE0In0.eyJleHAiOjE2MTc3MTA3MDgsImlhdCI6MTYxNzcxMDQwOCwiYXV0aF90aW1lIjoxNjE3NzEwNDA2LCJqdGkiOiJlMjEzZjY2Ni00Y2ZjLTQ4ZWItOTcxZi03NzEyMzA5YWYyZjYiLCJpc3MiOiJodHRwczovL3BnZGV2LnNlZmlyYS5jei9hdXRoL3JlYWxtcy9kZWZhdWx0IiwiYXVkIjpbIm9iZWxpc2stc3AtYXBpIiwiYWNjb3VudCJdLCJzdWIiOiI3NDYxYWUzNy05ODAxLTQ2MGQtODkwYS1lMTY0ZjUyM2Y4NzIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvYmVsaXNrLXNwLWd1aSIsIm5vbmNlIjoiYTIwZmM1ZTUtZTVmZ…hbCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiS2F6aXN2xJt0IE9zbcO9IiwiZmFtaWx5X25hbWUiOiJ6IEJvxb7DrSB2xa9sZSBrcsOhbCIsImVtYWlsIjoidGVzdEBzZWZpcmEuY3p4In0.oyOijY0OluxSzqsaZtTwH3_kl327jCziXQcFRpsoPpCqTXbwQmn4s4_75ov83iwVVi_tohaVniof_Y80IaMz62jzzJvr5HZNzFPjXbHMO4W4Wgp2HwtRJBDIIfpMvhyR6OYQfSmNl7Ie-1X5ij7PTeMO5qUH_U725NdzSLwz3A8DC7JAgpWdUJxJHbAUYtqoyOHHM8IYpzq0yGU0Zq3LS7EqN-mH3s4OqzTgcgXL7T7bpybTyjOF7e3GLQt9tn9E9Ch3ZPP9MtsVRQ8sJZRo1q-kZBQDSPkiCw0o-pOeVxzXy5LvSkFPLTp73ab2H0V08xKzQSKpjYOx9XKc8yzqkA}}
> I attach a minimal Maven project that I put together which can reproduce the behavior by invoking this cURL request:
> {{curl -v -H "Authorization: Bearer [token above]" [http://localhost/services/myapp/hell|http://localhost:8888/services/myapp/helltoken]o}}
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)