-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

OAuth 2 authorization service vulnerable to DDos attacks (CVE-2021-22696)

PRODUCT AFFECTED:

This issue affects Apache CXF.

PROBLEM:

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter.

CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token.

This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec.

This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

This issue has been assigned CVE-2021-22696.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAmBm444ACgkQZ7+AsQrV
OYMP8Af+LKmoCnKzWikWNXphDIGrefAvKJNhpguBy6msBs8BRU+4kwGV5jjSaHpg
1sYeDdxV1qQzWiRlXluyUIwLd+iY6FEYurC5ZAi9Mhd1M0B+iIfF1asxmVK+4Iyg
NphtgDCFGAM0D60VFR5lDX0Ib6E1mM+gTKplKMxY7NUJUw4mDRAAmQVrpkPzsNI/
0E+zVFL8crotUQiDN0jcUncaZt/i+P3jNFt5/77YrqMwgYcmuDTpSMzDtRPUjaaF
svj/kI8x+U2e2BZRqUUYnJJMy2tmLKWw47d9/cGqJZ0Oqip/caFntDYsfECt13Z3
bU+bEzRGdbEiTRS3mj1bSvwzK+RxZg==
=Rl7l
-----END PGP SIGNATURE-----