-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2014-0109: HTML content posted to SOAP endpoint could cause OOM errors

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.6.14
and 2.7.11.

Description:

If content is posted to a SOAP endpoint with Content-Type text/html, CXF
creates an error message based on the input. This could potentially cause a
Out Of Memory (OOM) error on a large input, leading to a possible Denial of
Service attack.

This has been fixed in revisions:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=f8ed98e684c1a67a77ae8726db05a04a4978a445

Migration:

CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.

References: http://cxf.apache.org/security-advisories.html

Credits:

We would like to thank Giancarlo Pellegrino and Davide Balzarotti for 
reporting this issue.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJTPtOJAAoJEGe/gLEK1TmDIJoIAKfpcrSBFlqCzjjEbRD179WM
lATyKYZTSDOeZ0oF+Qvs13y1nNXxjAt60krKmkYaTov460kKcnlTA07UXcKh4PBl
5YeKJkm8COtc73uA2paMUFi2YJHP5m1NG3FML59364JJ4QgbJibrCOnLxdNM8LSF
KCvOyZ0CL5ua4MLpU3NisH9BUcBr5LI1agD2jycZZSmAAds2umRPj0hEa2g50Yuq
Zk43/5p/GBqQZDddu1ZM2GZmheFIsCFEgtceqFoBxQCiYi1hGnXgd78dI66jgzlO
QmsOzuZ2noISMKo5zxo2TSjxeverKRGeLNlGptNdWzLXqyOsUzUQTjccMDCc/jA=
=aGbT
-----END PGP SIGNATURE-----