On Wednesday 16 June 2010 10:00:03 pm Nikolay Elenkov wrote: > On 2010/06/17 0:29, Daniel Kulp wrote: > > The Apache CXF team recently discovered a security issue that may allow > > an attacker to carry out denial of service attacks and to read arbitrary > > files on the file system of the node where CXF runs. Details of the > > vulnerability are described in the following advisory: > > > > http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf > > I know it is better to upgrade, but just to confirm, are we OK if we are > using only SOAP binding > (@BindingType("http://schemas.xmlsoap.org/wsdl/soap/http";))? I did test it > with the example exploits in the advisory, and it doesn't seem to be > vulnerable, but could you confirm?
It MAY be vulnerable depending on the Stax parser that's being picked up. In particular, the stuff in section 5.2 of the advisory could be a problem. For example: <!DOCTYPE Envelope SYSTEM "http://www.google.com/search?q=test";> <soap:Envelope>......</soap:Envelope> MAY result in the parser calling off to google prior to us being able to send the fault back due to the DTD being there. The parser may process the DTD prior to us getting the event that it is there. I don't really know what kind of problems being able to do a "get" on a URL from within Java can produce. Possibly a DOS if they send enough requests to tie up network resources. I don't really know. That said, it also depends on the parser. The parser may or may not process the DTD prior to the event. I don't really know which do and which don't. I don't believe the stuff in section 5.1 and 5.3 are a problem as we would fault out prior to any entities being expanded and data being exposed. -- Daniel Kulp dk...@apache.org http://dankulp.com/blog
