CVE-2024-29736
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Apache CXF's WADL service description. It allows attackers to make unauthorized requests from the vulnerable server to internal or external systems when a custom stylesheet parameter is configured. Organizations using affected versions of Apache CXF with REST web services are at risk.
💻 Affected Systems
- Apache CXF
📦 What is this software?
Cxf by Apache
Cxf by Apache
Cxf by Apache
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal systems, exfiltrate sensitive data, or pivot to attack other internal resources by making the vulnerable server send requests to arbitrary destinations.
Likely Case
Unauthorized access to internal HTTP services, metadata endpoints, or cloud instance metadata services leading to information disclosure.
If Mitigated
Limited impact if network segmentation restricts outbound connections and internal services require authentication.
🎯 Exploit Status
Exploitation requires knowledge of the vulnerable endpoint and custom stylesheet configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache CXF 4.0.5, 3.6.4, or 3.5.9
Vendor Advisory: https://lists.apache.org/thread/4jtpsswn2r6xommol54p5mg263ysgdw2
Restart Required: Yes
Instructions:
1. Identify Apache CXF version currently deployed. 2. Download and install patched version (4.0.5, 3.6.4, or 3.5.9). 3. Replace vulnerable JAR files with patched versions. 4. Restart application server or service using Apache CXF.
🔧 Temporary Workarounds
Disable custom stylesheet parameter
allRemove or disable the custom stylesheet configuration in WADL service description
Modify CXF configuration to remove custom stylesheet parameter from WADL service endpoints
Network restriction
allImplement network controls to restrict outbound HTTP requests from affected servers
Configure firewall rules to limit outbound HTTP/HTTPS connections from Apache CXF servers
🧯 If You Can't Patch
- Implement strict network segmentation to limit outbound connections from affected servers
- Deploy web application firewall (WAF) rules to detect and block SSRF patterns
🔍 How to Verify
Check if Vulnerable:
Check Apache CXF version and verify if custom stylesheet parameter is configured in WADL service endpointsCheck Version:
Check application logs, deployment manifests, or use: java -cp cxf-*.jar org.apache.cxf.VersionVerify Fix Applied:
Verify Apache CXF version is 4.0.5, 3.6.4, 3.5.9 or later, and test SSRF attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Apache CXF servers
- Requests to internal IP addresses or metadata endpoints
Network Indicators:
- HTTP requests from Apache CXF servers to unexpected destinations
- Patterns of requests to internal services from web servers
SIEM Query:
source="apache-cxf" AND (dest_ip=169.254.169.254 OR dest_ip=10.* OR dest_ip=192.168.* OR dest_ip=172.16.*)