Colm O Heigeartaigh

**Name of the Vulnerable Software and Affected Versions** Apache Neethi versions prior to 3.2.2 **Description** An issue exists in policy normalization where algorithmic complexity allows for a Denial of Service attack. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process. This results in unbounded memory allocation that exhausts the JVM heap because the process generates an excessive number of policy alternatives without limits. **Recommendations** Upgrade to version 3.2.2.

**Name of the Vulnerable Software and Affected Versions** Apache Neethi versions prior to 3.2.2 **Description** The PolicyReference API does not impose restrictions on URIs when manually fetching remote policy references. This allows an application that explicitly calls the API to make outbound requests using arbitrary protocols and internal IP addresses. **Recommendations** Upgrade to version 3.2.2.

**Name of the Vulnerable Software and Affected Versions** Apache Neethi versions prior to 3.2.2 **Description** Apache Neethi fails to properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (for example, Policy A references Policy B, which in turn references Policy A), the policy normalization process may enter an infinite loop or cause excessive recursion. This can result in a stack overflow or an application hang, allowing an attacker to cause a Denial of Service condition by crafting malicious policy documents. **Recommendations** Upgrade to version 3.2.2.

**Name of the Vulnerable Software and Affected Versions** Apache CXF versions prior to 3.5.10 Apache CXF versions prior to 3.6.5 Apache CXF versions prior to 4.0.6 **Description** A potential denial of service issue is present in Apache CXF. In some edge cases, the `CachedOutputStream` instances may not be closed and, if backed by temporary files, may fill up the file system. This issue applies to both servers and clients. An exploit can cause resource exhaustion, resulting in a denial of service. **Recommendations** For versions prior to 3.5.10, update to version 3.5.10 or later to resolve the issue. For versions prior to 3.6.5, update to version 3.6.5 or later to resolve the issue. For versions prior to 4.0.6, update to version 4.0.6 or later to resolve the issue. As a temporary workaround, consider implementing measures to monitor and limit the use of temporary files to prevent file system exhaustion.

Name of the Vulnerable Software and Affected Versions: Apache CXF versions 3.6.3 and earlier, 4.0.4 and earlier Description: The issue is related to a memory leak in the Apache CXF HTTP client conduit, which can prevent HTTPClient instances from being garbage collected. This can cause memory consumption to increase over time, potentially leading to the application running out of memory. The vulnerability can be exploited by a remote attacker to cause a denial of service. Recommendations: For versions prior to 3.6.4, update to version 3.6.4 or later to resolve the issue. For versions prior to 4.0.5, update to version 4.0.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the HTTP client conduit to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Karaf versions prior to 4.2.9 **Description** The issue concerns JMX authentication and authorization in Karaf, where a user with a "viewer" role can invoke certain methods, potentially leading to a SSRF style attack and privilege escalation by polluting the MBean registry. By default, only an "admin" can invoke on an MBean, but a "viewer" role can call get* methods. An attacker can authenticate as a "viewer" and invoke the MLet `getMBeansFromURL` method, which fetches an MBean from a remote server and registers it in Karaf. Although the attack fails due to lack of permission to invoke on the MBean, it can still cause issues. The vulnerability can be mitigated by adding an ACL to limit access. **Recommendations** Update to Apache Karaf 4.2.9 or newer. As a temporary workaround, consider adding an ACL to limit access to the `getMBeansFromURL` method for "viewer" roles. Restrict access to the MLet `getMBeansFromURL` method to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Flink versions 1.1.0 through 1.1.5 Apache Flink versions 1.2.0 through 1.2.1 Apache Flink versions 1.3.0 through 1.3.3 Apache Flink versions 1.4.0 through 1.4.2 Apache Flink versions 1.5.0 through 1.5.6 Apache Flink versions 1.6.0 through 1.6.4 Apache Flink versions 1.7.0 through 1.7.2 Apache Flink versions 1.8.0 through 1.8.3 Apache Flink versions 1.9.0 through 1.9.2 Apache Flink version 1.10.0 **Description** A vulnerability exists in Apache Flink where an attacker with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker's control. This compromises any connection established to the process via JMX, allowing extraction of credentials and any other transferred data. The attack is possible when running a process with an enabled JMXReporter, with a port configured via `metrics.reporter.reporter name>.port`. **Recommendations** For Apache Flink versions 1.1.0 through 1.1.5, consider disabling the JMXReporter until a patch is available. For Apache Flink versions 1.2.0 through 1.2.1, consider disabling the JMXReporter until a patch is available. For Apache Flink versions 1.3.0 through 1.3.3, consider disabling the JMXReporter until a patch is available. For Apache Flink versions 1.4.0 through 1.4.2, consider disabling the JMXReporter until a patch is available. For Apache Flink versions 1.5.0 through 1.5.6, consider disabling the JMXReporter until a patch is available. For Apache Flink versions 1.6.0 through 1.6.4, consider disabling the JMXReporter until a patch is available. For Apache Flink versions 1.7.0 through 1.7.2, consider disabling the JMXReporter until a patch is available. For Apache Flink versions 1.8.0 through 1.8.3, consider disabling the JMXReporter until a patch is available. For Apache Flink versions 1.9.0 through 1.9.2, consider disabling the JMXReporter until a patch is available. For Apache Flink version 1.10.0, consider disabling the JMXReporter until a patch is available.

Name of the Vulnerable Software and Affected Versions: Apache Karaf versions prior to 4.2.3 Description: The issue arises from the Apache Karaf kar deployer's failure to validate paths in .kar archives, allowing a malicious user to craft a .kar file with ".." directory names and write arbitrary content to the filesystem, known as the "Zip-slip" vulnerability. The impact of this issue is mitigated if the Karaf process user has limited permission on the filesystem. Recommendations: For versions prior to 4.2.3, update to version 4.2.3 or later to resolve the issue. As a temporary workaround, consider restricting the permissions of the Karaf process user on the filesystem to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Karaf versions prior to 4.0.8 **Description** The issue concerns the improper encoding of usernames, making the system vulnerable to LDAP injection attacks. This can lead to a denial of service. **Recommendations** For versions prior to 4.0.8, update to version 4.0.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache CXF Fediz versions 1.1.0 through 1.1.3 Apache CXF Fediz versions 1.2.x prior to 1.2.1 **Description** The issue allows remote attackers to cause a denial of service. This can be achieved through application plugins in Apache CXF Fediz. **Recommendations** For Apache CXF Fediz versions 1.1.0 through 1.1.2, update to version 1.1.3 to resolve the issue. For Apache CXF Fediz versions 1.2.x prior to 1.2.1, update to version 1.2.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache CXF Fediz versions 1.2.x through 1.2.2 Apache CXF Fediz versions 1.3.x through 1.3.0 **Description** The issue is related to the application plugins in Apache CXF Fediz, where SAML AudienceRestriction values are not properly matched against configured audience URIs. This could allow remote attackers to bypass intended restrictions by using a crafted SAML token with a trusted signature. **Recommendations** For Apache CXF Fediz versions 1.2.x through 1.2.2, update to version 1.2.3 or later. For Apache CXF Fediz versions 1.3.x through 1.3.0, update to version 1.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Apache CXF versions prior to 2.7.18 Apache CXF versions 3.0.x prior to 3.0.7 Apache CXF versions 3.1.x prior to 3.1.3 **Description** The issue allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a wrapping attack. **Recommendations** For Apache CXF versions prior to 2.7.18, update to version 2.7.18 or later. For Apache CXF versions 3.0.x prior to 3.0.7, update to version 3.0.7 or later. For Apache CXF versions 3.1.x prior to 3.1.3, update to version 3.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Red Hat AMQ (affected versions not specified) Apache ActiveMQ (affected versions not specified) **Description** The issue is related to errors in security settings of the Hawtio web console in Apache ActiveMQ, which allows CORS headers to be set to allow all in Red Hat AMQ. This could potentially allow a remote attacker to obtain confidential information or exert other influence. **Recommendations** For Red Hat AMQ, consider restricting access to the web console until a fix is available. For Apache ActiveMQ, restrict access to the Hawtio web console to minimize the risk of exploitation. As a temporary workaround, consider disabling the `CORS headers` setting in the affected systems until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Santuario XML Security for Java versions 1.5.5 and earlier **Description** The issue allows remote attackers to cause a denial of service, specifically memory consumption, via crafted Document Type Definitions (DTDs) when applying Transforms, related to signatures. This is due to errors in resource management. **Recommendations** For versions prior to 1.5.6, update to version 1.5.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of crafted DTDs in the `DOMCanonicalizationMethod.java` component until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Apache CXF versions 2.5.0 through 2.5.9 Apache CXF versions 2.6.0 through 2.6.6 Apache CXF versions 2.7.0 through 2.7.3 **Description** The issue allows remote attackers to bypass authentication when the plaintext UsernameToken WS-SecurityPolicy is enabled. This occurs via a security header of a SOAP request containing a `UsernameToken` element that lacks a `password` child element. **Recommendations** For Apache CXF versions 2.5.0 through 2.5.9, update to version 2.5.9 or later. For Apache CXF versions 2.6.0 through 2.6.6, update to version 2.6.6 or later. For Apache CXF versions 2.7.0 through 2.7.3, update to version 2.7.3 or later.