References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

OR
          *cpe:2.3:a:apache:cxf:3.5.10:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:cxf:3.6.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:cxf:4.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:cxf:4.1.0:*:*:*:*:*:*:*

Apache Software Foundation: https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmn Types: Issue Tracking, Mailing List, Vendor Advisory

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted.

Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.

CWE-400

https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmn