CVE-2017-12624
Denial of Service (DoS) vulnerability in cxf-core (Maven)
What is CVE-2017-12624 About?
Apache CXF is vulnerable to a Denial of Service (DoS) attack through specially crafted message attachment headers. This affects both JAX-WS and JAX-RS services, leading to resource exhaustion. Exploitation involves sending malformed headers, making it moderately easy to execute.
Affected Software
- org.apache.cxf:cxf-core
- >3.2.0, <3.2.1
- >3.1.0, <3.1.14
- <3.0.16
Technical Details
The Denial of Service (DoS) vulnerability in Apache CXF (versions before 3.2.1 and 3.1.14) stems from its handling of message attachment headers. Specifically, when a CXF web service provider receives a message with an excessively long or malformed attachment header, the parsing mechanism can consume disproportionate amounts of memory or CPU resources. An attacker can craft a SOAP or REST message containing an attachment header far exceeding typical lengths (e.g., hundreds or thousands of characters). The vulnerable CXF implementation attempts to process this header, leading to resource exhaustion, slowing down the service, or causing it to crash, thus denying service to legitimate users. This affects both JAX-WS and JAX-RS implementations.
What is the Impact of CVE-2017-12624?
Successful exploitation may allow attackers to render Apache CXF web services unresponsive or crash them, leading to a denial of service (DoS) for legitimate users and impacting system availability.
What is the Exploitability of CVE-2017-12624?
Exploitation is of moderate complexity, requiring knowledge of the CXF message structure and the ability to craft valid but malicious attachment headers. No specific authentication or privileged access is typically required beyond what is needed to send a message to the CXF service. The attack is remote, as it involves sending specially crafted network requests. Prerequisites include the target application utilizing a vulnerable version of Apache CXF for its JAX-WS or JAX-RS services. Special conditions involve the attachment-max-header-size property not being configured or set to a sufficiently high value. The risk factors for exploitation are higher in publicly exposed CXF endpoints that do not implement robust input validation or message size limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| tafamace | Link | PoC for CVE-2017-12624 |
What are the Available Fixes for CVE-2017-12624?
About the Fix from Resolved Security
The patch introduces a configurable maximum header size for each MIME part in multipart processing, defaulting to 300 bytes. By enforcing this limit and rejecting requests with excessively large headers, it mitigates the risk of resource exhaustion and denial of service described in CVE-2017-12624, where attackers could exploit the lack of header size checks to overwhelm the system.
Available Upgrade Options
- org.apache.cxf:cxf-core
- <3.0.16 → Upgrade to 3.0.16
- org.apache.cxf:cxf-core
- >3.1.0, <3.1.14 → Upgrade to 3.1.14
- org.apache.cxf:cxf-core
- >3.2.0, <3.2.1 → Upgrade to 3.2.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc
- http://www.securitytracker.com/id/1040486
- https://access.redhat.com/errata/RHSA-2018:2425
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://access.redhat.com/errata/RHSA-2018:2423
- http://www.securityfocus.com/bid/101859
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://access.redhat.com/errata/RHSA-2018:2424
- https://nvd.nist.gov/vuln/detail/CVE-2017-12624
What are Similar Vulnerabilities to CVE-2017-12624?
Similar Vulnerabilities: CVE-2017-12623 , CVE-2017-16020 , CVE-2017-7658 , CVE-2018-8032 , CVE-2019-0205
