[
https://issues.apache.org/jira/browse/CXF-8453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martin closed CXF-8453.
-----------------------
Resolution: Duplicate
> DOS vulnerability in bearer token parsing
> -----------------------------------------
>
> Key: CXF-8453
> URL: https://issues.apache.org/jira/browse/CXF-8453
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.4.3
> Reporter: Martin
> Priority: Major
> Attachments: cxf-bearer-dos.zip, stacktrace.txt
>
>
> When a specific invalid bearer token is passed to the OAuthRequestFilter for
> validation, it gets stuck in an endless JSON parsing loop, with the given
> thread consuming the CPU indefinitely.
> It seems to me that the problem is maybe on multiple levels, the first being
> tha CXF decodes invalid Base64 without problems, and then tries to parse the
> invalid result as JSON. I obtained the invalid token by incorrectly copying
> the header value from Firefox network tab, which shortens long header values
> with "…" character - see the invalid token:
> {{eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyZ3RYd0FMb2h6ekNYTkFaYjBLbGFDVUtnQ01xMi0wUlFiNkVRYWFSeGE0In0.eyJleHAiOjE2MTc3MTA3MDgsImlhdCI6MTYxNzcxMDQwOCwiYXV0aF90aW1lIjoxNjE3NzEwNDA2LCJqdGkiOiJlMjEzZjY2Ni00Y2ZjLTQ4ZWItOTcxZi03NzEyMzA5YWYyZjYiLCJpc3MiOiJodHRwczovL3BnZGV2LnNlZmlyYS5jei9hdXRoL3JlYWxtcy9kZWZhdWx0IiwiYXVkIjpbIm9iZWxpc2stc3AtYXBpIiwiYWNjb3VudCJdLCJzdWIiOiI3NDYxYWUzNy05ODAxLTQ2MGQtODkwYS1lMTY0ZjUyM2Y4NzIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvYmVsaXNrLXNwLWd1aSIsIm5vbmNlIjoiYTIwZmM1ZTUtZTVmZ…hbCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiS2F6aXN2xJt0IE9zbcO9IiwiZmFtaWx5X25hbWUiOiJ6IEJvxb7DrSB2xa9sZSBrcsOhbCIsImVtYWlsIjoidGVzdEBzZWZpcmEuY3p4In0.oyOijY0OluxSzqsaZtTwH3_kl327jCziXQcFRpsoPpCqTXbwQmn4s4_75ov83iwVVi_tohaVniof_Y80IaMz62jzzJvr5HZNzFPjXbHMO4W4Wgp2HwtRJBDIIfpMvhyR6OYQfSmNl7Ie-1X5ij7PTeMO5qUH_U725NdzSLwz3A8DC7JAgpWdUJxJHbAUYtqoyOHHM8IYpzq0yGU0Zq3LS7EqN-mH3s4OqzTgcgXL7T7bpybTyjOF7e3GLQt9tn9E9Ch3ZPP9MtsVRQ8sJZRo1q-kZBQDSPkiCw0o-pOeVxzXy5LvSkFPLTp73ab2H0V08xKzQSKpjYOx9XKc8yzqkA}}
> I attach a minimal Maven project that I put together which can reproduce the
> behavior by invoking this cURL request:
> {{curl -v -H "Authorization: Bearer [token above]"
> [http://localhost/services/myapp/hell|http://localhost:8888/services/myapp/helltoken]o}}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
