-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2017-12624: Apache CXF web services that process attachments are vulnerable to Denial of Service (DoS) attacks

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.2.1 and
3.1.14.

Description:

Apache CXF supports sending and receiving attachments via either the JAX-WS or
JAX-RS specifications. It is possible to craft a message attachment header
that could lead to a Denial of Service (DoS) attack on a CXF web service
provider. Both JAX-WS and JAX-RS services are vulnerable to this attack.

- From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater
than 300 characters will be rejected by default. This value is configurable
via the property "attachment-max-header-size".

This has been fixed in revision:

https://github.com/apache/cxf/commit/8bd915bfd7735c248ad660059c6b6ad26cdbcdf6

Migration:

Apache CXF users should upgrade to 3.2.1 or 3.1.14 as soon as possible if they
are using web services with attachments.

Credit:

This issue was reported by Wang, Shixiang (Kevin) from Nokia.
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJaCt1wAAoJEGe/gLEK1TmDt4oH/1fURfaP65gziMLC3HJepeWn
jwa7UgFI1X8bsA3V1eY/lvTdqrwLtswQxUqqmiSTE6L5OMVWRFJLAokv9CFBWwZ7
DfZJCOryjHCc0hsyt/rkMfmIiedu2BbcUiPsYfiq0qVML9Bdj8NFtFNEKoQeMil6
Qgz8XV6ctIHSFn6U8tbmOtz3x8snwv9J8j6dTG6Ak4nWv/WjQ/rT50skf9f3FyGi
+oxt6apUyGODOiYEJKhN909mP3ixMl1Z9qRaf87Oj3VVyxCA2ih2dHe2gbamcc2v
G5XlhO0+KqK7ioOQaTf7lDNfwiERXZPO/k1i1ZSIL8BwtSOKhttFl3G+y2KGo1I=
=Qdsk
-----END PGP SIGNATURE-----