Moderate severityNVD Advisory· Published May 8, 2014· Updated May 6, 2026
CVE-2014-0110
CVE-2014-0110
Description
Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-coreMaven | < 2.6.14 | 2.6.14 |
org.apache.cxf:cxf-coreMaven | >= 2.7.0, < 2.7.11 | 2.7.11 |
Affected products
43cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*+ 42 more
- cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*range: <=2.6.13
- cpe:2.3:a:apache:cxf:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.9:*:*:*:*:*:*:*
Patches
3643b1bc7320cDon't cache the input stream unless we have gotten through the service invoke phase. If there is an exception or similar on input, there is no need to cache it, just discard what we can.
2 files changed · +28 −12
api/src/main/java/org/apache/cxf/interceptor/OutgoingChainInterceptor.java+4 −0 modified@@ -57,6 +57,10 @@ public OutgoingChainInterceptor() { public void handleMessage(Message message) { Exchange ex = message.getExchange(); BindingOperationInfo binding = ex.get(BindingOperationInfo.class); + //if we get this far, we're going to be outputting some valid content, but we COULD + //also be "echoing" some of the content from the input. Thus, we need to + //mark it as requiring the input to be cached. + message.put("cxf.io.cacheinput", Boolean.TRUE); if (null != binding && null != binding.getOperationInfo() && binding.getOperationInfo().isOneWay()) { closeInput(message); return;
rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java+24 −12 modified@@ -523,21 +523,33 @@ private void cacheInput(Message outMessage) { if (inMessage == null) { return; } - Collection<Attachment> atts = inMessage.getAttachments(); - if (atts != null) { - for (Attachment a : atts) { - if (a.getDataHandler().getDataSource() instanceof AttachmentDataSource) { - try { - ((AttachmentDataSource)a.getDataHandler().getDataSource()).cache(inMessage); - } catch (IOException e) { - throw new Fault(e); + Object o = inMessage.get("cxf.io.cacheinput"); + DelegatingInputStream in = inMessage.getContent(DelegatingInputStream.class); + if (MessageUtils.isTrue(o)) { + Collection<Attachment> atts = inMessage.getAttachments(); + if (atts != null) { + for (Attachment a : atts) { + if (a.getDataHandler().getDataSource() instanceof AttachmentDataSource) { + try { + ((AttachmentDataSource)a.getDataHandler().getDataSource()).cache(inMessage); + } catch (IOException e) { + throw new Fault(e); + } } } } - } - DelegatingInputStream in = inMessage.getContent(DelegatingInputStream.class); - if (in != null) { - in.cacheInput(); + if (in != null) { + in.cacheInput(); + } + } else if (in != null) { + //We don't need to cache it, but we may need to consume it in order for the client + // to be able to receive a response. (could be blocked sending) + //However, also don't want to consume indefinitely. We'll limit to 16M. + try { + IOUtils.consume(in, 16 * 1024 * 1024); + } catch (IOException ioe) { + //ignore + } } }
8f4799b5bc5eDon't cache the input stream unless we have gotten through the service invoke phase. If there is an exception or similar on input, there is no need to cache it, just discard what we can.
2 files changed · +28 −12
core/src/main/java/org/apache/cxf/interceptor/OutgoingChainInterceptor.java+4 −0 modified@@ -57,6 +57,10 @@ public OutgoingChainInterceptor() { public void handleMessage(Message message) { Exchange ex = message.getExchange(); BindingOperationInfo binding = ex.get(BindingOperationInfo.class); + //if we get this far, we're going to be outputting some valid content, but we COULD + //also be "echoing" some of the content from the input. Thus, we need to + //mark it as requiring the input to be cached. + message.put("cxf.io.cacheinput", Boolean.TRUE); if (null != binding && null != binding.getOperationInfo() && binding.getOperationInfo().isOneWay()) { closeInput(message); return;
rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java+24 −12 modified@@ -542,21 +542,33 @@ private void cacheInput(Message outMessage) { if (inMessage == null) { return; } - Collection<Attachment> atts = inMessage.getAttachments(); - if (atts != null) { - for (Attachment a : atts) { - if (a.getDataHandler().getDataSource() instanceof AttachmentDataSource) { - try { - ((AttachmentDataSource)a.getDataHandler().getDataSource()).cache(inMessage); - } catch (IOException e) { - throw new Fault(e); + Object o = inMessage.get("cxf.io.cacheinput"); + DelegatingInputStream in = inMessage.getContent(DelegatingInputStream.class); + if (MessageUtils.isTrue(o)) { + Collection<Attachment> atts = inMessage.getAttachments(); + if (atts != null) { + for (Attachment a : atts) { + if (a.getDataHandler().getDataSource() instanceof AttachmentDataSource) { + try { + ((AttachmentDataSource)a.getDataHandler().getDataSource()).cache(inMessage); + } catch (IOException e) { + throw new Fault(e); + } } } } - } - DelegatingInputStream in = inMessage.getContent(DelegatingInputStream.class); - if (in != null) { - in.cacheInput(); + if (in != null) { + in.cacheInput(); + } + } else if (in != null) { + //We don't need to cache it, but we may need to consume it in order for the client + // to be able to receive a response. (could be blocked sending) + //However, also don't want to consume indefinitely. We'll limit to 16M. + try { + IOUtils.consume(in, 16 * 1024 * 1024); + } catch (IOException ioe) { + //ignore + } } }
35cd29270b77Don't cache the input stream unless we have gotten through the service invoke phase. If there is an exception or similar on input, there is no need to cache it, just discard what we can.
2 files changed · +28 −12
api/src/main/java/org/apache/cxf/interceptor/OutgoingChainInterceptor.java+4 −0 modified@@ -57,6 +57,10 @@ public OutgoingChainInterceptor() { public void handleMessage(Message message) { Exchange ex = message.getExchange(); BindingOperationInfo binding = ex.get(BindingOperationInfo.class); + //if we get this far, we're going to be outputting some valid content, but we COULD + //also be "echoing" some of the content from the input. Thus, we need to + //mark it as requiring the input to be cached. + message.put("cxf.io.cacheinput", Boolean.TRUE); if (null != binding && null != binding.getOperationInfo() && binding.getOperationInfo().isOneWay()) { closeInput(message); return;
rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java+24 −12 modified@@ -517,21 +517,33 @@ private void cacheInput(Message outMessage) { if (inMessage == null) { return; } - Collection<Attachment> atts = inMessage.getAttachments(); - if (atts != null) { - for (Attachment a : atts) { - if (a.getDataHandler().getDataSource() instanceof AttachmentDataSource) { - try { - ((AttachmentDataSource)a.getDataHandler().getDataSource()).cache(inMessage); - } catch (IOException e) { - throw new Fault(e); + Object o = inMessage.get("cxf.io.cacheinput"); + DelegatingInputStream in = inMessage.getContent(DelegatingInputStream.class); + if (MessageUtils.isTrue(o)) { + Collection<Attachment> atts = inMessage.getAttachments(); + if (atts != null) { + for (Attachment a : atts) { + if (a.getDataHandler().getDataSource() instanceof AttachmentDataSource) { + try { + ((AttachmentDataSource)a.getDataHandler().getDataSource()).cache(inMessage); + } catch (IOException e) { + throw new Fault(e); + } } } } - } - DelegatingInputStream in = inMessage.getContent(DelegatingInputStream.class); - if (in != null) { - in.cacheInput(); + if (in != null) { + in.cacheInput(); + } + } else if (in != null) { + //We don't need to cache it, but we may need to consume it in order for the client + // to be able to receive a response. (could be blocked sending) + //However, also don't want to consume indefinitely. We'll limit to 16M. + try { + IOUtils.consume(in, 16 * 1024 * 1024); + } catch (IOException ioe) { + //ignore + } } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
23- cxf.apache.org/security-advisories.data/CVE-2014-0110.txt.ascnvdVendor Advisory
- github.com/advisories/GHSA-5xf9-3v63-ww6fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-0110ghsaADVISORY
- cxf.apache.org/security-advisories.data/CVE-2014-0110.txt.ascghsaWEB
- rhn.redhat.com/errata/RHSA-2014-1351.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-0850.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-0851.htmlnvdWEB
- github.com/apache/cxf/commit/35cd29270b77b489cb23552637d66d47ce480f4cghsaWEB
- github.com/apache/cxf/commit/643b1bc7320ca90c3e078e50509f9a30a0ab45beghsaWEB
- github.com/apache/cxf/commit/8f4799b5bc5ed0fe62d6e018c45d960e3652373eghsaWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3EghsaWEB
- www.securitytracker.com/id/1030202nvd
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3Envd
News mentions
0No linked articles in our index yet.