[
https://issues.apache.org/jira/browse/CXF-6479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Beryozkin resolved CXF-6479.
-----------------------------------
Resolution: Fixed
Assignee: Sergey Beryozkin
Fix Version/s: 3.1.2
2.7.17
3.0.6
See
http://git-wip-us.apache.org/repos/asf/cxf/commit/a24039d4
thanks
> Denial of Service: Regular Expression in StringUtils
> ----------------------------------------------------
>
> Key: CXF-6479
> URL: https://issues.apache.org/jira/browse/CXF-6479
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.1.1
> Reporter: Donald Kwakkel
> Assignee: Sergey Beryozkin
> Fix For: 3.0.6, 2.7.17, 3.1.2
>
>
> Untrusted data is passed to the application and used as a regular expression.
> This can cause the thread to over-consume CPU resources.
> org.apache.cxf.common.util.StringUtils
> {code}
> String separator = getSeparator();
> return StringUtils.split(c, separator);
> {code}
> Where separator is provided by CacheControlHeader:
> {code}
> Object sepProperty =
> message.getContextualProperty(CACHE_CONTROL_SEPARATOR_PROPERTY);
> {code}
> There is a vulnerability in implementations of regular expression evaluators
> and related methods that can cause the thread to hang when evaluating
> repeating and alternating overlapping of nested and repeated regex groups.
> This defect can be used to execute a DOS (Denial of Service) attack.
> Example:
>
> (e+)+
> ([a-zA-Z]+)*
>
> There are no known regular expression implementations which are
> immune to this vulnerability.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
