CVE-2021-22696

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 02-04-2021 12:15

Last modified: - 12-05-2022 04:36

Total changes: - 7

Description

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

None

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

vendor=apache AND product=cxf AND versionStartIncluding=3.4.0 AND versionEndExcluding=3.4.3

vendor=apache AND product=cxf AND versionEndExcluding=3.3.10

vendor=oracle AND product=business_intelligence AND version=12.2.1.3.0 AND software_edition=enterprise

vendor=oracle AND product=business_intelligence AND version=12.2.1.4.0 AND software_edition=enterprise

vendor=oracle AND product=business_intelligence AND version=5.5.0.0.0 AND software_edition=enterprise

vendor=oracle AND product=communications_session_route_manager AND versionEndIncluding=8.2.4 AND versionStartIncluding=8.0.0

vendor=oracle AND product=communications_session_report_manager AND versionEndIncluding=8.2.4.0 AND versionStartIncluding=8.0.0

vendor=oracle AND product=business_intelligence AND version=5.9.0.0.0 AND software_edition=enterprise

vendor=oracle AND product=communications_element_manager AND version=8.2.2

vendor=oracle AND product=communications_diameter_intelligence_hub AND versionEndIncluding=8.1.0 AND versionStartIncluding=8.0.0

vendor=oracle AND product=communications_diameter_intelligence_hub AND versionEndIncluding=8.2.3 AND versionStartIncluding=8.2.0

Reference

N/A-Vendor Advisory
[oss-security] 20210402 CVE-2021-22696: Apache CXF: OAuth 2 authorization service vulnerable to DDos attacks-Mailing List, Third Party Advisory
[cxf-users] 20210402 CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks-Mailing List, Vendor Advisory
[cxf-dev] 20210402 CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks-Mailing List, Vendor Advisory
[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html-Mailing List, Vendor Advisory
[announce] 20210402 [Apache CXF] CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks-Mailing List, Vendor Advisory
[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html-Exploit, Mailing List, Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html

Keywords

CVE-2021-22696

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2021-22696

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures