CVE-2021-22696

OAuth 2 authorization service vulnerable to DDos attacks

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

CXF admite (por medio de JwtRequestCodeFilter) pasar parámetros de OAuth 2 por medio de un token JWT en lugar de parámetros de consulta (consulte: El Framework de Autorización de OAuth 2.0: JWT Secured Authorization Request (JAR)). En lugar de enviar un token JWT como un parámetro "request", la especificación también admite la especificación de un URI desde el cual recuperar un token JWT por medio del parámetro "request_uri". CXF no estaba comprobando el parámetro "request_uri" (además de asegurarse de que usa "https) y estaba realizando una petición REST hacia el parámetro en la petición para recuperar un token. Esto significa que CXF era vulnerable a ataques de DDos en el servidor de autorización, como lo especifica en sección 10.4.1 de la especificación Este problema afecta a Apache CXF versiones anteriores a 3.4.3; Apache CXF versiones anteriores a 3.3.10.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-06 CVE Reserved
2021-04-02 CVE Published
2024-08-03 CVE Updated
2024-08-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (11)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/04/02/2	Mailing List
https://lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d702656b7cbe59045%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914%40%3Cdev.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914%40%3Cusers.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E	Mailing List

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.asc	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-22696	2022-11-02
https://bugzilla.redhat.com/show_bug.cgi?id=1946341	2022-11-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				< 3.3.10 Search vendor "Apache" for product "Cxf" and version " < 3.3.10"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				>= 3.4.0 < 3.4.3 Search vendor "Apache" for product "Cxf" and version " >= 3.4.0 < 3.4.3"		-		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				5.5.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.5.0.0.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				5.9.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.3.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.4.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"				>= 8.0.0 <= 8.1.0 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version " >= 8.0.0 <= 8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"				>= 8.2.0 <= 8.2.3 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version " >= 8.2.0 <= 8.2.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.2.2 Search vendor "Oracle" for product "Communications Element Manager" and version "8.2.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				>= 8.0.0 <= 8.2.4.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.0.0 <= 8.2.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				>= 8.0.0 <= 8.2.4 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.0.0 <= 8.2.4"		-		Affected