CVE-2017-12624: DoS vulnerability in Apache CXF prior to versions 3.2.1, 3.1.14 and 3.0.16 

Summary

CVE-2017-12624: Denial of Service (DoS) vulnerability in Apache CXF processing attachments, prior to versions 3.2.1, 3.1.14 and 3.0.16

Issue ID: SECURITY-38

Affected Product Version(s)
This vulnerability applies to CMS 10.2.7, CMS 11.2.3 and CMS 12.0.2 and earlier versions.
Note: the latest CMS 12.1.0 release is not affected! 

Severity 
high

Description
As disclosed by the Apache CXF project:

In addition to the above disclosure and fix releases the Apache CXF project later also backported and released this fix to version 3.0.16.

This vulnerability is classified with severity high, and may (also) apply to project specific usages of the Apache CXF libraries within a Hippo CMS project. 

The Apache CXF version used in all supported CMS versions therefore have been upgraded:

• Apache CXF 3.1.14 for CMS 11.2.4, CMS 12.0.3 and CMS 12.1.0
  This includes a required update for the Jackson2 libraries to version 2.8.8
• Apache CXF 3.0.16 for CMS 10.2.8
  This includes a required update for the Jackson2 libraries to version 2.4.6

Instructions
Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher.

The upgrade of the Apache CXF libraries should all be fully backwards compatible.
The necessary upgrade of the Jackson2 libraries also should be backwards compatible for most, if not all, usages.

Upgrading Hippo projects therefore requires just the update to the newer CMS release version in their root project pom.xml.
However we do advise project to check and verify possible project specific usages of CXF and Jackson2 for the expected and intended behavior.