Apache CXF XML DTD Processing Security Vulnerability

Publish date: July 21, 2015
  Severity: HIGH
  CVE Identifier: CVE-2010-2076
  Advisory Date: JUL 21, 2015

  DESCRIPTION

Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632.

  TREND MICRO PROTECTION INFORMATION

Apply associated Trend Micro DPI Rules.

  SOLUTION

  Trend Micro Deep Security DPI Rule Number: 1004369
  Trend Micro Deep Security DPI Rule Name: 1004369 - Apache CXF XML DTD Processing Security Vulnerability

  AFFECTED SOFTWARE AND VERSION

  • apache cxf 2.0
  • apache cxf 2.0.1
  • apache cxf 2.0.10
  • apache cxf 2.0.11
  • apache cxf 2.0.12
  • apache cxf 2.0.2
  • apache cxf 2.0.3
  • apache cxf 2.0.4
  • apache cxf 2.0.5
  • apache cxf 2.0.6
  • apache cxf 2.0.7
  • apache cxf 2.0.8
  • apache cxf 2.0.9
  • apache cxf 2.1
  • apache cxf 2.1.1
  • apache cxf 2.1.2
  • apache cxf 2.1.3
  • apache cxf 2.1.4
  • apache cxf 2.1.5
  • apache cxf 2.1.6
  • apache cxf 2.1.7
  • apache cxf 2.1.8
  • apache cxf 2.1.9
  • apache cxf 2.2
  • apache cxf 2.2.1
  • apache cxf 2.2.2
  • apache cxf 2.2.3
  • apache cxf 2.2.4
  • apache cxf 2.2.5
  • apache cxf 2.2.6
  • apache cxf 2.2.7
  • apache cxf 2.2.8

Featured Stories