Vulnerability Description
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cxf | < 3.3.10 |
| Oracle | Business Intelligence | 5.5.0.0.0 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.0.0, <= 8.1.0 |
| Oracle | Communications Element Manager | 8.2.2 |
| Oracle | Communications Session Report Manager | >= 8.0.0, <= 8.2.4.0 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.4 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/04/02/2Mailing ListThird Party Advisory
- https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.ascVendor Advisory
- https://lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d70
- https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c
- https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba7
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2021/04/02/2Mailing ListThird Party Advisory
- https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.ascVendor Advisory
- https://lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d70
- https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c
- https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba7
FAQ
What is CVE-2021-22696?
CVE-2021-22696 is a vulnerability with a CVSS score of 7.5 (HIGH). CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR))....
How severe is CVE-2021-22696?
CVE-2021-22696 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22696?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Cxf, Oracle Business Intelligence, Oracle Communications Diameter Intelligence Hub, Oracle Communications Element Manager, Oracle Communications Session Report Manager.