Vulnerabilities reported for Apache CXF before 3.3.4 and 3.2.11

Issue date: 15-01-2020
Affects versions: 13.4, 13.3, 12.5, 11.2

Issue ID

SECURITY-147

Affected Product Version(s)

13.4.0, 12.6.7, 11.2.16 (and previous patch releases)

Severity

Medium

Description

Apache CXF reported vulnerability CVE-2019-12406 in versions before 3.3.4 and 3.2.11

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".

Apache CXF has been updated to version 3.3.4.

Instructions

Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

Vulnerabilities reported for Apache CXF before 3.3.4 and 3.2.11