[jira] [Created] (CXF-8453) DOS vulnerability in bearer token parsing

Thu, 08 Apr 2021 02:29:04 -0700 

Martin created CXF-8453:
---------------------------

             Summary: DOS vulnerability in bearer token parsing
                 Key: CXF-8453
                 URL: https://issues.apache.org/jira/browse/CXF-8453
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS Security
    Affects Versions: 3.4.3
            Reporter: Martin
         Attachments: cxf-bearer-dos.zip, stacktrace.txt

When a specific invalid bearer token is passed to the OAuthRequestFilter for 
validation, it gets stuck in an endless JSON parsing loop, with the given 
thread consuming the CPU indefinitely.

It seems to me that the problem is maybe on multiple levels, the first being 
tha CXF decodes invalid Base64 without problems, and then tries to parse the 
invalid result as JSON. I obtained the invalid token by incorrectly copying the 
header value from Firefox network tab, which shortens long header values with 
"…" character - see the invalid token:

{{eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyZ3RYd0FMb2h6ekNYTkFaYjBLbGFDVUtnQ01xMi0wUlFiNkVRYWFSeGE0In0.eyJleHAiOjE2MTc3MTA3MDgsImlhdCI6MTYxNzcxMDQwOCwiYXV0aF90aW1lIjoxNjE3NzEwNDA2LCJqdGkiOiJlMjEzZjY2Ni00Y2ZjLTQ4ZWItOTcxZi03NzEyMzA5YWYyZjYiLCJpc3MiOiJodHRwczovL3BnZGV2LnNlZmlyYS5jei9hdXRoL3JlYWxtcy9kZWZhdWx0IiwiYXVkIjpbIm9iZWxpc2stc3AtYXBpIiwiYWNjb3VudCJdLCJzdWIiOiI3NDYxYWUzNy05ODAxLTQ2MGQtODkwYS1lMTY0ZjUyM2Y4NzIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvYmVsaXNrLXNwLWd1aSIsIm5vbmNlIjoiYTIwZmM1ZTUtZTVmZ…hbCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiS2F6aXN2xJt0IE9zbcO9IiwiZmFtaWx5X25hbWUiOiJ6IEJvxb7DrSB2xa9sZSBrcsOhbCIsImVtYWlsIjoidGVzdEBzZWZpcmEuY3p4In0.oyOijY0OluxSzqsaZtTwH3_kl327jCziXQcFRpsoPpCqTXbwQmn4s4_75ov83iwVVi_tohaVniof_Y80IaMz62jzzJvr5HZNzFPjXbHMO4W4Wgp2HwtRJBDIIfpMvhyR6OYQfSmNl7Ie-1X5ij7PTeMO5qUH_U725NdzSLwz3A8DC7JAgpWdUJxJHbAUYtqoyOHHM8IYpzq0yGU0Zq3LS7EqN-mH3s4OqzTgcgXL7T7bpybTyjOF7e3GLQt9tn9E9Ch3ZPP9MtsVRQ8sJZRo1q-kZBQDSPkiCw0o-pOeVxzXy5LvSkFPLTp73ab2H0V08xKzQSKpjYOx9XKc8yzqkA}}

I attach a minimal Maven project that I put together which can reproduce the 
behavior by invoking this cURL request:

{{curl -v -H "Authorization: Bearer [token above]" 
[http://localhost/services/myapp/hell|http://localhost:8888/services/myapp/helltoken]o}}

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to