Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-2996

Upgrade CXF to 3.3.10 / 3.4.3 in TomEE

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskConvert to sub-taskLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment Visibility


    • Type: Dependency upgrade
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 8.0.6
    • Fix Version/s: 8.0.7, 8.0.8
    • Component/s: TomEE Core Server
    • Labels:


      Apache Tomee version 8.0.6 contains vulnerable version of cxf libraries (I.e. cxf-core-3.3.8.jar).


      See Apache CXF - CVE-2021-22696 for more details.


      Vulnerability Details


      Vulnerability Published: 2021-04-02 06:15 EDT
      Vulnerability Updated: 2021-04-02 14:15 EDT
      CVSS Score: (under review, not scored yet - updates will be reported in issue comments)

      Summary: CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

      Solution: N/A

      Workaround: N/A


      Affected Component(s): Apache CXF
      Vulnerability Published: 2021-04-02 11:35 EDT
      Vulnerability Updated: 2021-04-02 11:35 EDT
      CVSS Score: 6.5 (overall), 7.5 (base)

      Summary: Apache CXF is vulnerable to distributed denial-of-service (DDoS) via passing OAuth 2 parameters via a JWT token. An attacker could exploit this in order to cause the authorization server to crash.

      Solution: Fixed in 3.4.3 by this and this commit. Fixed in 3.3.10 by this and this commit.

      The latest stable releases are available here.

      Workaround: N/A



        Issue Links



            • Assignee:
              somasaninikhil Nikhil


              • Created:

                Issue deployment