CVE-2021-30468
📋 TL;DR
A denial-of-service vulnerability in Apache CXF's JsonMapObjectReaderWriter allows attackers to send specially crafted JSON payloads to web services, causing infinite loops that consume 100% CPU on affected threads. This affects Apache CXF versions before 3.4.4 and 3.3.11, impacting any web services using JSON processing with these vulnerable components.
💻 Affected Systems
- Apache CXF
📦 What is this software?
Cxf by Apache
Cxf by Apache
Tomee by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion, potentially affecting multiple services on shared infrastructure through resource starvation.
Likely Case
Degraded performance and intermittent service outages affecting JSON-based web service endpoints.
If Mitigated
Minimal impact with proper rate limiting, input validation, and monitoring in place.
🎯 Exploit Status
Exploitation requires sending malformed JSON to vulnerable endpoints. Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache CXF 3.4.4 or 3.3.11
Vendor Advisory: http://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc
Restart Required: Yes
Instructions:
1. Download Apache CXF 3.4.4 or 3.3.11 from official Apache repository. 2. Replace vulnerable CXF libraries in your application. 3. Restart application server. 4. Verify fix by checking version and testing JSON endpoints.
🔧 Temporary Workarounds
Input Validation Filter
allImplement request filtering to reject malformed JSON before reaching CXF components
Implement custom servlet filter or use WAF rules to validate JSON structure
Rate Limiting
allLimit requests per IP to prevent DoS amplification
Configure rate limiting in web server (nginx: limit_req_zone, Apache: mod_ratelimit)
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) with JSON validation rules
- Deploy network-level rate limiting and monitor for abnormal CPU spikes
🔍 How to Verify
Check if Vulnerable:
Check CXF version in application dependencies or classpath. If using Maven: mvn dependency:tree | grep cxfCheck Version:
java -cp "cxf-*.jar" org.apache.cxf.common.util.PackageUtils getImplementationVersionVerify Fix Applied:
Verify CXF version is 3.4.4+ or 3.3.11+ and test JSON endpoints with various payloads📡 Detection & Monitoring
Log Indicators:
- High CPU usage alerts
- Thread dump showing stuck threads in JSON processing
- Increased error rates on JSON endpoints
Network Indicators:
- Multiple malformed JSON requests from single source
- Abnormal request patterns to JSON endpoints
SIEM Query:
source="application.logs" AND ("JsonMapObjectReaderWriter" OR "JSON processing" OR "infinite loop") AND (cpu_usage > 90)🔗 References
- http://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc
- http://www.openwall.com/lists/oss-security/2021/06/16/2
- https://lists.apache.org/thread.html/r3f46ae38e4a6e80c069cdb320e0ce831b0a21a12ef0cc92c0943f34a%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r4771084730c4cf6e59eda60b4407122c86f174eb750b24f610ba9ff4%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cusers.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r54c0f1cbbb9f381dfbedb9ea5e90ecb1c0a15371f40c4b10322ac737%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/ra833f78b3fa577cb43558cf343859a1bf70b1c5ce2353b3877d96422%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rac07822057521dccf33ab5d136e0e8c599a6e2c8ac75e44ffbdc6e07%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re5b2a2b77faa22684d47bd2ac6623135c615565328ff40a1ec705448%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re9e05c6cab5f0dcc827eba4e6fcf26fa0b493e7ca84d62c867a80d03%40%3Ccommits.tomee.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210917-0002/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc
- http://www.openwall.com/lists/oss-security/2021/06/16/2
- https://lists.apache.org/thread.html/r3f46ae38e4a6e80c069cdb320e0ce831b0a21a12ef0cc92c0943f34a%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r4771084730c4cf6e59eda60b4407122c86f174eb750b24f610ba9ff4%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cusers.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r54c0f1cbbb9f381dfbedb9ea5e90ecb1c0a15371f40c4b10322ac737%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/ra833f78b3fa577cb43558cf343859a1bf70b1c5ce2353b3877d96422%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rac07822057521dccf33ab5d136e0e8c599a6e2c8ac75e44ffbdc6e07%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re5b2a2b77faa22684d47bd2ac6623135c615565328ff40a1ec705448%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re9e05c6cab5f0dcc827eba4e6fcf26fa0b493e7ca84d62c867a80d03%40%3Ccommits.tomee.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210917-0002/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
