-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2013-2160: Denial of Service Attacks on Apache CXF

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.5.10, 2.6.7
and 2.7.4.

Description:

It is possible to execute Denial of Service attacks on Apache CXF, exploiting
the fact that the streaming XML parser does not put limits on things like the
number of elements, number of attributes, the nested structure of the document
received, etc. The effects of these attacks can vary from causing high CPU
usage, to causing the JVM to run out of memory.

Apache CXF 2.5.10, 2.6.7 and 2.7.4 onwards pick up Woodstox 4.2.0 as the
streaming XML parser, which enforces appropriate limits to prevent these
attacks.

This has been fixed in revisions:

http://svn.apache.org/viewvc?view=revision&revision=1460428

Migration:

CXF 2.5.x users should upgrade to 2.5.10 or later as soon as possible.
CXF 2.6.x users should upgrade to 2.6.7 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.4 or later as soon as possible.

Credit: This issue was reported by Andreas Falkenberg of SEC Consult
Deutschland GmbH, and Christian Mainka, Juraj Somorovsky and Joerg Schwenk of
Ruhr-University Bochum.

References: http://cxf.apache.org/security-advisories.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJRzAEPAAoJEGe/gLEK1TmDX+IH/jAVBIlf4Gri4oqTe46/Un8I
Qc297NQT+aBe9NRftrfv5zAQLPIE8UTAyecr/RILE9Fr5O0OkyR++/AO0V/x0QqL
Bf2DHuwNN1UZfsjaO8osbUJAVVJLbt5ab4IsVrJNe0EuTEC2X/oQHBMtLr/Vn4Dm
0YiXUjBRsIz1sGCXJ9ptQasfc4FQaBTRNlhWSoJhsix9EcfhZh3GaewbyXPsOGTU
+zfYsRRWjg+m8GT3b01gsxBRqUNvGw3M0g1Z96raDJSEzW7YRXUpwvrlUkBGvr1c
drWZ6YqPqYJS7hZru7DbrLky9utR8qJCaPLFNLPA77auTDB9wLyKAslNL/6GhPI=
=R9Kh
-----END PGP SIGNATURE-----