Apache CXF Remote Denial of Service Vulnerability (CVE-2014-0110)

Release date:
Updated on:

Affected Systems:
Apache Group CXF <2.6.14
Apache Group CXF 2.7.11
Description:
--------------------------------------------------------------------------------
Bugtraq id: 67232
CVE (CAN) ID: CVE-2014-0110
 
Apache CXF is an open-source service framework used to compile and develop services using front-end programming APIs such as JAX-WS and JAX-RS.
 
An error occurred when processing or parsing SOAP messages in Apache CXF versions earlier than 2.6.14 and 2.7.11. This allows the server to read the remaining data and save it to a temporary file to dynamically create data, attackers can occupy the entire/tmp directory, resulting in DOS.

Recommended reading:

Basic Apache CXF quick start tutorial

Apache CXF practice
 
<* Source: Giancarlo Pellegrino
Davide Balzarotti

Link: http://secunia.com/advisories/58436/
Http://cxf.apache.org/security-advisories.data/CVE-2014-0109.txt.asc
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Apache Group
------------
Apache Group has released a Security Bulletin (CVE-2014-0109) and patches for this:
CVE-2014-0109: HTML content posted to SOAP endpoint cocould cause OOM errors
Link: http://cxf.apache.org/security-advisories.data/CVE-2014-0109.txt.asc
 
Patch download: https://git-wip-us.apache.org/repos/asf? P = cxf. git; a = commit; h = f8ed98e684c1a67a77ae8726db05a04a4978a445

For details about Apache CXF, click here
Apache CXF: click here

This article permanently updates the link address: