[ 
https://issues.apache.org/jira/browse/CXF-6479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed CXF-6479.
------------------------------------

> Denial of Service: Regular Expression in StringUtils
> ----------------------------------------------------
>
>                 Key: CXF-6479
>                 URL: https://issues.apache.org/jira/browse/CXF-6479
>             Project: CXF
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 3.1.1
>            Reporter: Donald Kwakkel
>            Assignee: Sergey Beryozkin
>             Fix For: 3.0.6, 2.7.17, 3.1.2
>
>
> Untrusted data is passed to the application and used as a regular expression. 
>  This can cause the thread to over-consume CPU resources.
> org.apache.cxf.common.util.StringUtils    
> {code}
>             String separator = getSeparator();
>             return StringUtils.split(c, separator);
> {code}
> Where separator is provided by CacheControlHeader:
> {code}
> Object sepProperty = 
> message.getContextualProperty(CACHE_CONTROL_SEPARATOR_PROPERTY);
> {code}
> There is a vulnerability in implementations of regular expression evaluators 
> and related methods that can cause the thread to hang when evaluating 
> repeating and alternating overlapping of nested and repeated regex groups. 
> This defect can be used to execute a DOS (Denial of Service) attack.
> Example:
>     
>         (e+)+
>         ([a-zA-Z]+)*
>         
>         There are no known regular expression implementations which are 
> immune to this vulnerability.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to