Release date:
Updated on:
Affected Systems:
Apache Group CXF <2.6.14
Apache Group CXF 2.7.11
Description:
--------------------------------------------------------------------------------
Bugtraq id: 67232
CVE (CAN) ID: CVE-2014-0110
Apache CXF is an open-source service framework used to compile and develop services using front-end programming APIs such as JAX-WS and JAX-RS.
An error occurred when processing or parsing SOAP messages in Apache CXF versions earlier than 2.6.14 and 2.7.11. This allows the server to read the remaining data and save it to a temporary file to dynamically create data, attackers can occupy the entire/tmp directory, resulting in DOS.
Recommended reading:
Basic Apache CXF quick start tutorial
Apache CXF practice
<* Source: Giancarlo Pellegrino
Davide Balzarotti
Link: http://secunia.com/advisories/58436/
Http://cxf.apache.org/security-advisories.data/CVE-2014-0109.txt.asc
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Apache Group
------------
Apache Group has released a Security Bulletin (CVE-2014-0109) and patches for this:
CVE-2014-0109: HTML content posted to SOAP endpoint cocould cause OOM errors
Link: http://cxf.apache.org/security-advisories.data/CVE-2014-0109.txt.asc
Patch download: https://git-wip-us.apache.org/repos/asf? P = cxf. git; a = commit; h = f8ed98e684c1a67a77ae8726db05a04a4978a445
For details about Apache CXF, click here
Apache CXF: click here
This article permanently updates the link address: