CVE-2017-12624: DoS vulnerability in Apache CXF prior to versions 3.2.1, 3.1.14 and 3.0.16
Issue date: 26-01-2018Affects versions: 12.0, 11.2, 10.2
Summary
CVE-2017-12624: Denial of Service (DoS) vulnerability in Apache CXF processing attachments, prior to versions 3.2.1, 3.1.14 and 3.0.16
Issue ID: SECURITY-38
Affected Product Version(s)
This vulnerability applies to CMS 10.2.7, CMS 11.2.3 and CMS 12.0.2 and earlier versions.
Note: the latest CMS 12.1.0 release is not affected!
Severity
high
Description
As disclosed by the Apache CXF project:
It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider.
Both JAX-WS and JAX-RS services are vulnerable to this attack.
- From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default.
This value is configurable via the property "attachment-max-header-size".
[...]
Migration:
Apache CXF users should upgrade to 3.2.1 or 3.1.14 as soon as possible if they are using web services with attachments.
In addition to the above disclosure and fix releases the Apache CXF project later also backported and released this fix to version 3.0.16.
This vulnerability is classified with severity high, and may (also) apply to project specific usages of the Apache CXF libraries within a Hippo CMS project.
The Apache CXF version used in all supported CMS versions therefore have been upgraded:
- Apache CXF 3.1.14 for CMS 11.2.4, CMS 12.0.3 and CMS 12.1.0
This includes a required update for the Jackson2 libraries to version 2.8.8 - Apache CXF 3.0.16 for CMS 10.2.8
This includes a required update for the Jackson2 libraries to version 2.4.6
Instructions
Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher.
The upgrade of the Apache CXF libraries should all be fully backwards compatible.
The necessary upgrade of the Jackson2 libraries also should be backwards compatible for most, if not all, usages.
Upgrading Hippo projects therefore requires just the update to the newer CMS release version in their root project pom.xml.
However we do advise project to check and verify possible project specific usages of CXF and Jackson2 for the expected and intended behavior.