CVE-2016-8739
XML External Entity (XXE) vulnerability in cxf-core (Maven)
What is CVE-2016-8739 About?
This vulnerability in Apache CXF's JAX-RS module allows XML External Entity (XXE) attacks due to default entity expansion by Apache Abdera Parser. This can lead to sensitive information disclosure or server-side request forgery. Exploitation requires sending specially crafted XML, making it moderately easy to exploit.
Affected Software
- org.apache.cxf:cxf-core
- <3.0.12
- >3.1.0, <3.1.9
Technical Details
The JAX-RS module in Apache CXF uses Apache Abdera Parser for its Atom JAX-RS MessageBodyReaders. By default, Apache Abdera Parser is configured to expand XML entities. This default configuration allows an attacker to inject specially crafted XML documents containing external entity declarations (XXE). When the vulnerable CXF module processes such a document, the parser resolves and expands the external entities. This can result in the disclosure of local files on the server, execution of server-side requests (SSRF), or other system-level interactions that an attacker can control.
What is the Impact of CVE-2016-8739?
Successful exploitation may allow attackers to read arbitrary files on the system, perform server-side request forgery (SSRF), or potentially execute remote code depending on the server's configuration and available tools.
What is the Exploitability of CVE-2016-8739?
Exploitation complexity is moderate, requiring knowledge of XXE attack vectors and the ability to send specifically crafted XML payloads to the JAX-RS endpoints. No specific authentication or privilege is typically required if the affected endpoints are publicly accessible and process XML input. This is a remote vulnerability. The critical prerequisite is that the Apache CXF JAX-RS module is configured with Apache Abdera Parser, which has default XML entity expansion enabled. Trusting XML input from untrusted sources significantly increases the risk of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-8739?
About the Fix from Resolved Security
The patch changes the XML parsing in AbstractAtomProvider from parsing directly from an input stream to explicitly creating an XMLStreamReader with StaxUtils, which protects against XML External Entity (XXE) attacks by disabling the use of external entities and DTD resolution. This directly addresses CVE-2016-8739, which is a vulnerability where specially crafted XML input could cause the application to process external entities, leading to potential information disclosure or remote resource access.
Available Upgrade Options
- org.apache.cxf:cxf-core
- <3.0.12 → Upgrade to 3.0.12
- org.apache.cxf:cxf-core
- >3.1.0, <3.1.9 → Upgrade to 3.1.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://access.redhat.com/errata/RHSA-2017:0868
- http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc
- https://nvd.nist.gov/vuln/detail/CVE-2016-8739
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- https://access.redhat.com/errata/RHSA-2017:0868
- http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc
- http://www.securityfocus.com/bid/97579
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
What are Similar Vulnerabilities to CVE-2016-8739?
Similar Vulnerabilities: CVE-2017-1000487 , CVE-2020-25649 , CVE-2019-12406 , CVE-2018-1288 , CVE-2017-9800
