Apache Tomee version 8.0.6 contains vulnerable version of cxf libraries (I.e. cxf-core-3.3.8.jar).

See Apache CXF - CVE-2021-22696 for more details.

Vulnerability Details

CVE-2021-22696

Vulnerability Published: 2021-04-02 06:15 EDT
Vulnerability Updated: 2021-04-02 14:15 EDT
CVSS Score: (under review, not scored yet - updates will be reported in issue comments)

Summary: CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

Solution: N/A

Workaround: N/A

BDSA-2021-0853

Affected Component(s): Apache CXF
Vulnerability Published: 2021-04-02 11:35 EDT
Vulnerability Updated: 2021-04-02 11:35 EDT
CVSS Score: 6.5 (overall), 7.5 (base)

Summary: Apache CXF is vulnerable to distributed denial-of-service (DDoS) via passing OAuth 2 parameters via a JWT token. An attacker could exploit this in order to cause the authorization server to crash.

Solution: Fixed in 3.4.3 by this and this commit. Fixed in 3.3.10 by this and this commit.

The latest stable releases are available here.

Workaround: N/A