| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA512 |
| |
| CVE-2019-17573: Apache CXF Reflected XSS in the services listing page |
| |
| Severity: Moderate |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache CXF prior to 3.3.5 and |
| 3.2.12. |
| |
| Description: |
| |
| By default, Apache CXF creates a /services page containing a listing of the |
| available endpoint names and addresses. This webpage is vulnerable to a |
| reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to |
| inject javascript into the web page. |
| |
| Please note that the attack exploits a feature which is not typically not |
| present in modern browsers, who remove dot segments before sending the |
| request. However, Mobile applications may be vulnerable. |
| |
| Mitigation: |
| |
| Users of Apache CXF should update to either 3.3.5 or 3.2.12. Alternatively, |
| it is possible to disable the service listing altogether by setting the |
| "hide-service-list-page" servlet parameter to "true". |
| |
| Credit: |
| |
| Tal Manor, GE cyber security team. |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAl5zPJQACgkQZ7+AsQrV |
| OYOvYQf+PdmHFzAEDNplbV8XPe6jaxk0PJBsZZduIp/sW0rRvLX1nbmxR3x0p8DH |
| +N5IbSE7Gp+VKAmL7mQeVeccuCVCOVW36cV2CX2C0/pK1+xpyjpBftwPdnlP4WAL |
| XWEPveNs/Hl1sYUj2u4NxyweDzkAqiWu3khz+Z+/p81An6xPFu3/aSGRqSRUzcLm |
| KujcYOtA+lyMBqKnFR7dQ+6aMDCPGArdtgIisvWnI94rdwiBmUI/S7NdtIf+UXUZ |
| EZPBxiWyb5EN5eYFoiTRE98PJhyaE5HEYTwBAxKtYA0A/MQJjrPtWek+4IQv3GTZ |
| VBHw5X3nVxrfLIrzQSDP11QsBxt9yA== |
| =Zla7 |
| -----END PGP SIGNATURE----- |