Vulnerability Name:

CVE-2016-8739 (CCN-120408)

Assigned:2016-10-18
Published:2017-01-02
Updated:2021-06-16
Summary:The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-611
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2016-8739

Source: CCN
Type: Apache Web site
Apache CXF

Source: CCN
Type: Apache Web site
Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE

Source: CONFIRM
Type: Patch, Vendor Advisory
http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc

Source: CCN
Type: RHSA-2017-0868
Important: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update

Source: CCN
Type: IBM Security Bulletin 958165 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability

Source: CCN
Type: IBM Security Bulletin 2003397 (Tivoli Application Dependency Discovery Manager)
Open Source Apache CXF Vulnerablities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2016-6812, CVE-2016-8739)

Source: CCN
Type: IBM Security Bulletin 2003596 (Tivoli Network Manager IP Edition)
Security vulnerabilities have been identified in the Apache CXF component of IBM Tivoli Network Manager IP Edition (CVE-2016-6812, CVE-2016-8739)

Source: BID
Type: Third Party Advisory, VDB Entry
97579

Source: CCN
Type: BID-97579
Apache CXF JAX-RS CVE-2016-8739 XML External Entity Injection Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1037544

Source: REDHAT
Type: UNKNOWN
RHSA-2017:0868

Source: XF
Type: UNKNOWN
apache-cxf-cve20168739-info-disc(120408)

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html

Source: CCN
Type: IBM Security Bulletin 735723 (Rational Rhapsody Design Manager)
Multiple vulnerabilities affect IBM Rational Design Manager

Source: CCN
Type: IBM Security Bulletin 2011984 (InfoSphere Master Data Management Server)
Mulitiple security vulnerabilities in Apache CXF affects IBM InfoSphere Master Data Management (CVE-2016-6812 CVE-2016-8739 CVE-2017-5653 CVE-2017-5656 CVE-2017-3156)

Source: CCN
Type: IBM Security Bulletin 6207901 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:cxf:3.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:*:*:*:*:*:*:*:* (Version <= 3.0.11)
  • OR cpe:/a:apache:cxf:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.4:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:cxf:3.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.8:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:rational_rhapsody_design_manager:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_network_manager:4.1.1:*:ip:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_network_manager:4.2:*:ip:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_a-mq:6.3:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_fuse:6.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:5.01:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:5.02:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apache cxf 3.1.5
    apache cxf 3.1.6
    apache cxf 3.1.1
    apache cxf 3.1.2
    apache cxf *
    apache cxf 3.1.0
    apache cxf 3.1.7
    apache cxf 3.1.8
    apache cxf 3.1.3
    apache cxf 3.1.4
    apache cxf 3.0.11
    apache cxf 3.1.8
    ibm rational rhapsody design manager 5.0
    ibm tivoli network manager 4.1.1
    ibm infosphere master data management server 10.1
    ibm tivoli application dependency discovery manager 7.3
    ibm security identity governance and intelligence 5.2
    ibm tivoli network manager 4.2
    ibm security identity governance and intelligence 5.2.1
    redhat jboss a-mq 6.3
    redhat jboss fuse 6.3
    ibm rational rhapsody design manager 6.0
    ibm rational rhapsody design manager 6.0.1
    ibm rational rhapsody design manager 6.0.2
    ibm rational rhapsody design manager 6.0.3
    ibm rational rhapsody design manager 6.0.4
    ibm infosphere master data management server 11.0
    ibm infosphere master data management server 11.3
    ibm infosphere master data management server 11.4
    ibm infosphere master data management server 11.5
    ibm infosphere master data management server 11.6
    ibm rational rhapsody design manager 6.0.5
    ibm security identity governance and intelligence 5.2.2
    ibm security identity governance and intelligence 5.2.2.1
    ibm security identity governance and intelligence 5.2.3
    ibm security identity governance and intelligence 5.2.3.1
    ibm security identity governance and intelligence 5.2.3.2
    ibm security identity governance and intelligence 5.2.4
    ibm rational rhapsody design manager 6.0.6
    ibm rational rhapsody design manager 5.01
    ibm rational rhapsody design manager 5.02
    ibm security identity governance and intelligence 5.2.4.1
    ibm security identity governance and intelligence 5.2.5.0
    ibm security identity governance and intelligence 5.2.6