If you currently use of SOAP Microservices & Apache CXF, you should be staying alert! 7th APr 2021

Preface: Many industry standards still rely on XML to describe and exchange data between business partners in a way that guarantee interoperability even with legacy systems running on mainframes. SOAP enable developers to create and use APIs based on XML payloads.

Background: Apache CXF™ is an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS. These services can speak a variety of protocols such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a variety of transports such as HTTP, JMS or JBI.

Vulnerability Details: A set of malicious client can launch a DoS attack to the authorization server by pointing the “request_uri” to a URI that returns extremely large content or extremely slow to respond. Under such an attack, the server may use up its resource and start failing. Official details shown in follow link – https://lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d702656b7cbe59045@%3Cannounce.apache.org%3E

Workaround: To prevent such attack to succeed, the server should:

(a) check that the value of “request_uri” parameter does not point to an unexpected location.
(b) check the content type of the response is “application/oauth-authz-req+jwt”.
(c) implement a time-out for obtaining the content of “request_uri”.
(d) not perform recursive GET on the “request_uri”.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.