High Severity

Security Bulletin: Apache CXF (Publicly disclosed vulnerability)

Share this post:

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a “request” parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the “request_uri” parameter. CXF was not validating the “request_uri” parameter (apart from ensuring it uses “https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

CVE(s): CVE-2021-22696

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
ITNM 3.9
ITNM 4.1.1.x
ITNM 4.2.0.x

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6483061
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/199335

More stories

Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Mgmt (CVE-2021-2329)

Oct 22, 2021 8:03 pm EDT | High Severity

An Oracle database server vulnerability has been addressed by IBM Emptoris Supplier Lifecycle Mgmt. ...read more


Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Mgmt (CVE-2021-2328)

Oct 22, 2021 8:03 pm EDT | High Severity

An Oracle database vulnerability has been addressed in IBM Emptoris Supplier Lifecycle Mgmt. ...read more


Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-2351)

Oct 22, 2021 8:03 pm EDT | High Severity

An Oracle database server vulnerability has been addressed by IBM Emptoris Strategic Supply Management Platform. ...read more