Vulnerabilities > CVE-2013-2160 - Resource Management Errors vulnerability in Apache CXF

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apache
CWE-399
nessus
exploit available

Summary

The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionApache CXF < 2.5.10 / 2.6.7 / 2.7.4 - Denial of Service. CVE-2013-2160. Dos exploits for multiple platform
idEDB-ID:26710
last seen2016-02-03
modified2013-07-09
published2013-07-09
reporterSEC Consult
sourcehttps://www.exploit-db.com/download/26710/
titleApache CXF < 2.5.10 / 2.6.7 / 2.7.4 - Denial of Service

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-14106.NASL
    descriptionUpgrade of CXF to 2.6.9, fixes CVE-2013-2160. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-08-12
    plugin id69298
    published2013-08-12
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69298
    titleFedora 19 : cxf-2.6.9-1.fc19 / jacorb-2.3.1-8.fc19 / wss4j-1.6.10-1.fc19 (2013-14106)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2013-14106.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(69298);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2013-2160");
      script_xref(name:"FEDORA", value:"2013-14106");
    
      script_name(english:"Fedora 19 : cxf-2.6.9-1.fc19 / jacorb-2.3.1-8.fc19 / wss4j-1.6.10-1.fc19 (2013-14106)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Upgrade of CXF to 2.6.9, fixes CVE-2013-2160.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=929197"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113791.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3cf87d55"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113792.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e74effcb"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113793.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8c11c1ce"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected cxf, jacorb and / or wss4j packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:cxf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jacorb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wss4j");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/08/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC19", reference:"cxf-2.6.9-1.fc19")) flag++;
    if (rpm_check(release:"FC19", reference:"jacorb-2.3.1-8.fc19")) flag++;
    if (rpm_check(release:"FC19", reference:"wss4j-1.6.10-1.fc19")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cxf / jacorb / wss4j");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-14159.NASL
    descriptionUpgrade of CXF to 2.6.9, fixes CVE-2013-2160. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-08-12
    plugin id69300
    published2013-08-12
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69300
    titleFedora 18 : cxf-2.6.9-1.fc18 / jacorb-2.3.1-8.fc18 / wss4j-1.6.10-1.fc18 (2013-14159)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2013-14159.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(69300);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2013-2160");
      script_xref(name:"FEDORA", value:"2013-14159");
    
      script_name(english:"Fedora 18 : cxf-2.6.9-1.fc18 / jacorb-2.3.1-8.fc18 / wss4j-1.6.10-1.fc18 (2013-14159)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Upgrade of CXF to 2.6.9, fixes CVE-2013-2160.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=929197"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113756.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?86049458"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113757.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?52eedd39"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113758.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b4b6a104"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected cxf, jacorb and / or wss4j packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:cxf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jacorb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wss4j");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:18");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/08/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^18([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 18.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC18", reference:"cxf-2.6.9-1.fc18")) flag++;
    if (rpm_check(release:"FC18", reference:"jacorb-2.3.1-8.fc18")) flag++;
    if (rpm_check(release:"FC18", reference:"wss4j-1.6.10-1.fc18")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cxf / jacorb / wss4j");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-1437.NASL
    descriptionThe version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues: - A flaw in CSRF prevention filter in JBoss Web could allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. (CVE-2012-4431) - A flaw that occurs when the COOKIE session tracking method is used can allow attackers to hijack users
    last seen2020-06-01
    modified2020-06-02
    plugin id72237
    published2014-01-31
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72237
    titleJBoss Portal 6.1.0 Update (RHSA-2013:1437)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(72237);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/24 15:35:37");
    
      script_cve_id(
        "CVE-2012-4431",
        "CVE-2012-4529",
        "CVE-2012-4572",
        "CVE-2012-5575",
        "CVE-2013-1921",
        "CVE-2013-2067",
        "CVE-2013-2102",
        "CVE-2013-2160",
        "CVE-2013-2172",
        "CVE-2013-4112",
        "CVE-2013-4128",
        "CVE-2013-4213"
      );
      script_bugtraq_id(
        56814,
        59799,
        60040,
        60043,
        60045,
        60846,
        61030,
        61179,
        61739,
        61742,
        62256,
        63196
      );
      script_xref(name:"RHSA", value:"2013:1437");
    
      script_name(english:"JBoss Portal 6.1.0 Update (RHSA-2013:1437)");
      script_summary(english:"Checks for the install versions of JBoss Portal");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "The version of JBoss Enterprise Portal Platform on the remote system is
    affected by the following issues:
    
      - A flaw in CSRF prevention filter in JBoss Web could allow
        remote attackers to bypass the cross-site request forgery
        (CSRF) protection mechanism via a request that lacks a
        session identifier. (CVE-2012-4431)
    
      - A flaw that occurs when the COOKIE session tracking
        method is used can allow attackers to hijack users'
        sessions. (CVE-2012-4529)
    
      - A flaw that occurs when multiple applications use the
        same custom authorization module class name can allow a
        local attacker to deploy a malicious application that
        overrides the custom authorization modules provided by
        other applications. (CVE-2012-4572)
    
      - The framework does not verify that a specified
        cryptographic algorithm is allowed by the
        WS-SecurityPolicy AlgorithmSuite definition before
        decrypting.  This can allow remote attackers to force
        the system to use weaker cryptographic algorithms than
        intended and makes it easier to decrypt communications.
        (CVE-2012-5575)
    
      - A flaw in PicketBox can allow local users to obtain the
        admin encryption key by reading the Vault data file.
        (CVE-2013-1921)
    
      - A session fixation flaw was found in the
        FormAuthenticator module. (CVE-2013-2067)
    
      - A flaw that occurs when a JGroups channel was started
        results in the JGroups diagnostics service being enabled
        by default with no authentication via IP multicast. A
        remote attacker can make use of this flaw to read
        diagnostics information. (CVE-2013-2102)
    
      - A flaw in the StAX parser implementation can allow
        remote attackers to cause a denial of service via
        crafted XML. (CVE-2013-2160)
    
      - A flaw in Apache Santuario XML Security can allow
        context-dependent attackers to spoof an XML Signature
        by using the CanonicalizationMethod parameter to
        specify an arbitrary weak algorithm. (CVE-2013-2172)
    
      - A flaw in JGroup's DiagnosticsHandler can allow remote
        attackers to obtain sensitive information and execute
        arbitrary code by re-using valid credentials.
        (CVE-2013-4112)
    
      - A flaw in the manner in which authenticated connections
        were cached on the server by remote-naming can allow
        remote attackers to hijack sessions by using a remoting
        client. (CVE-2013-4128)
    
      - A flaw in the manner in which connections for EJB
        invocations were cached on the server can allow remote
        attackers to hijack sessions by using an EJB client.
        (CVE-2013-4213)");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=868202");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=872059");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=880443");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=883636");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=929197");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=948106");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=961779");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=963984");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=983489");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=984795");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=985359");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=999263");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4431.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4529.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4572.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-5575.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-1921.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2067.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2102.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2160.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2172.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4112.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4128.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4213.html");
    
      script_set_attribute(attribute:"solution", value:
    "Upgrade the installed JBoss Portal 6.0.0 to 6.1.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/10/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/31");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_portal_platform:6.1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl", "jboss_detect.nbin");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # We are only interested in Red Hat systems
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    
    info = "";
    jboss = 0;
    installs = get_kb_list_or_exit("Host/JBoss/Portal Platform");
    if(!isnull(installs)) jboss = 1;
    
    foreach install (make_list(installs))
    {
      match = eregmatch(string:install, pattern:"([^:]+):(.*)");
    
      if (!isnull(match))
      {
        ver = match[1];
        path = match[2];
    
        if (ver =~ "^6.0.0([^0-9]|$)")
        {
          info += '\n' + '  Path    : ' + path+ '\n';
          info += '  Version : ' + ver + '\n';
        }
      }
    }
    
    # Report what we found.
    if (info)
    {
      set_kb_item(name:"www/0/XSRF", value:TRUE);
      if (report_verbosity > 0)
      {
        if (max_index(split(info)) > 3) s = 's of JBoss Enterprise Portal Platform are';
        else s = ' of JBoss Enterprise Portal Platform is';
    
        report =
          '\n' +
          'The following instance'+s+' out of date and\nshould be upgraded to 6.1.0 or later :\n' +
          info;
    
        security_hole(port:0, extra:report);
      }
      else security_hole(port:0);
    }
    else if ( (!info) && (jboss) )
    {
      exit(0, "The JBoss Enterprise Portal Platform version installed is not affected.");
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/122337/SA-20130709-0.txt
idPACKETSTORM:122337
last seen2016-12-05
published2013-07-09
reporterA. Falkenberg
sourcehttps://packetstormsecurity.com/files/122337/Apache-CXF-2.5.10-2.6.7-2.7.4-Denial-Of-Service.html
titleApache CXF 2.5.10 / 2.6.7 / 2.7.4 Denial Of Service

Redhat

advisories
  • rhsa
    idRHSA-2013:1028
  • rhsa
    idRHSA-2013:1437

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:80338
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-80338
    titleApache CXF prior to 2.5.10, 2.6.7 and 2.7.4 - Denial of Service
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 61030 CVE(CAN) ID: CVE-2013-2160 Apache CXF是一个开源服务框架,用于使用JAX-WS、JAX-RS等前端编程API编译和开发服务。 Apache CXF 2.5.10, 2.6.7, 2.7.4存在多个远程拒绝服务漏洞,流XML解析器没有限制元素数、属性数、接收文档嵌套结构等,攻击者利用这些漏洞可造成应用崩溃,导致拒绝服务。 0 Apache Group CXF &lt;= 2.5.10 Apache Group CXF 2.7.4 Apache Group CXF 2.6.7 厂商补丁: Apache Group ------------ Apache Group已经为此发布了一个安全公告(CVE-2013-2160)以及相应补丁: CVE-2013-2160:Denial of Service Attacks on Apache CXF 链接:http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc?version=1&amp;modificationDate=1372
    idSSV:60893
    last seen2017-11-19
    modified2013-07-11
    published2013-07-11
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-60893
    titleApache CXF多个远程拒绝服务漏洞(CVE-2013-2160)