Tuesday, November 5, 2019

Two new CVEs released for Apache CXF

Apache CXF 3.3.4 and 3.2.11 have been released. Along with the usual bug fixes and dependency updates, these releases contain fixes for two new CVEs:
  • CVE-2019-12419: Apache CXF OpenId Connect token service does not properly validate the clientId. The problem here is that the OAuth access token service didn't validate that the submitted clientId matches that of the authenticated principal, thus allowing a malicious client to obtain an access token using a code issued to another client. Of course, this requires the malicious client to actually obtain the authorization code for the other client somehow.
  • CVE-2019-12406: Apache CXF does not restrict the number of message attachments. Essentially here CXF did not impose any restrictions on the number of message attachments, meaning that a malicious entity could try to attempt a denial of serice attack by generating a message with a huge number of message attachments.
Please update to the latest CXF releases to pick up fixes for these advisories.