Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6479

Denial of Service: Regular Expression in StringUtils

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.1
    • Fix Version/s: 3.0.6, 2.7.17, 3.1.2
    • Component/s: Core
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Untrusted data is passed to the application and used as a regular expression. This can cause the thread to over-consume CPU resources.

      org.apache.cxf.common.util.StringUtils

                  String separator = getSeparator();
                  return StringUtils.split(c, separator);
      

      Where separator is provided by CacheControlHeader:

      Object sepProperty = message.getContextualProperty(CACHE_CONTROL_SEPARATOR_PROPERTY);
      

      There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating repeating and alternating overlapping of nested and repeated regex groups. This defect can be used to execute a DOS (Denial of Service) attack.
      Example:

      (e+)+
      ([a-zA-Z]+)*

      There are no known regular expression implementations which are immune to this vulnerability.

        Attachments

          Activity

            People

            • Assignee:
              sergey_beryozkin Sergey Beryozkin
              Reporter:
              dkwakkel Donald Kwakkel
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: