Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-46364

CVE-2022-46364: Apache CXF SSRF Vulnerability

CVE-2022-46364 is an SSRF vulnerability in Apache CXF affecting MTOM request parsing that enables attackers to perform server-side request forgery attacks. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2022-46364 Overview

CVE-2022-46364 is a Server-Side Request Forgery (SSRF) vulnerability in Apache CXF, a popular open-source services framework. The vulnerability exists in the parsing of the href attribute of XOP:Include elements within Message Transmission Optimization Mechanism (MTOM) requests. This flaw allows an attacker to perform SSRF-style attacks on web services that accept at least one parameter of any type.

Critical Impact

Remote attackers can exploit this vulnerability to make arbitrary HTTP requests from the affected server, potentially accessing internal services, sensitive data, or pivoting to attack internal network resources without authentication.

Affected Products

  • Apache CXF versions before 3.5.5
  • Apache CXF versions before 3.4.10

Discovery Timeline

  • 2022-12-13 - CVE-2022-46364 published to NVD
  • 2025-04-22 - Last updated in NVD database

Technical Details for CVE-2022-46364

Vulnerability Analysis

This vulnerability stems from improper handling of the href attribute within XOP:Include elements during MTOM request processing. MTOM is a W3C recommendation for optimizing the transmission of binary data in SOAP messages, and XOP:Include elements allow referencing binary content via URI references. Apache CXF fails to properly validate these URI references, enabling attackers to specify arbitrary URLs that the server will then request.

The vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely through network-accessible web services. Any web service endpoint that processes MTOM-encoded requests with at least one parameter becomes a potential attack vector.

Root Cause

The root cause is insufficient validation of the href attribute values in XOP:Include elements (CWE-918: Server-Side Request Forgery). When Apache CXF parses MTOM requests, it follows the URI specified in the href attribute without properly restricting the allowed schemes or destinations. This allows attackers to craft malicious requests that cause the server to make requests to arbitrary internal or external resources.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:

  1. Identifying a web service endpoint running a vulnerable version of Apache CXF
  2. Crafting a malicious MTOM-encoded SOAP request with an XOP:Include element
  3. Specifying an attacker-controlled or internal URL in the href attribute
  4. Sending the request to the vulnerable endpoint

The server then processes the MTOM request and attempts to fetch the resource specified in the href attribute, effectively allowing the attacker to make HTTP requests from the server's perspective. This can be leveraged to scan internal networks, access cloud metadata endpoints, exfiltrate data, or interact with internal services that would otherwise be unreachable from external networks.

The vulnerability mechanism involves MTOM request parsing where the XOP:Include element's href attribute is processed without proper URI validation. For detailed technical information, refer to the Apache Security Advisory CVE-2022-46364.

Detection Methods for CVE-2022-46364

Indicators of Compromise

  • Unusual outbound HTTP requests from web service servers to internal IP addresses or cloud metadata endpoints (e.g., 169.254.169.254)
  • SOAP requests containing XOP:Include elements with suspicious href values pointing to internal resources
  • Web service logs showing MTOM-encoded requests with external or internal URL references in attachment data
  • Unexpected network connections from application servers to internal services or unauthorized external hosts

Detection Strategies

  • Implement network monitoring to detect outbound requests from web service servers to internal network segments or cloud metadata endpoints
  • Configure web application firewalls (WAF) to inspect SOAP/MTOM traffic for suspicious XOP:Include patterns
  • Deploy intrusion detection systems with signatures for SSRF attack patterns targeting Apache CXF
  • Review application logs for MTOM requests containing unusual URI schemes or internal IP addresses in XOP:Include elements

Monitoring Recommendations

  • Enable detailed logging for Apache CXF web services to capture all MTOM request details
  • Monitor network traffic from web service hosts for connections to unexpected destinations
  • Set up alerts for outbound connections to private IP ranges from DMZ or external-facing servers
  • Regularly audit Apache CXF version deployments across the organization to identify vulnerable instances

How to Mitigate CVE-2022-46364

Immediate Actions Required

  • Upgrade Apache CXF to version 3.5.5 or later (for 3.5.x branch) immediately
  • Upgrade Apache CXF to version 3.4.10 or later (for 3.4.x branch) if on the older branch
  • Conduct an inventory of all applications using Apache CXF to identify vulnerable deployments
  • Implement network segmentation to limit the impact of potential SSRF attacks from web service hosts

Patch Information

Apache has released patched versions that address this SSRF vulnerability:

  • Apache CXF 3.5.5 and later versions for the 3.5.x branch
  • Apache CXF 3.4.10 and later versions for the 3.4.x branch

For complete details, consult the Apache Security Advisory CVE-2022-46364.

Workarounds

  • If immediate patching is not possible, implement strict egress filtering on servers running vulnerable Apache CXF instances to block outbound requests to internal networks
  • Configure network firewalls to prevent web service servers from making direct connections to sensitive internal resources
  • Deploy a web application firewall (WAF) to filter and block malicious MTOM requests containing suspicious XOP:Include patterns
  • Consider disabling MTOM support if not required by your application
bash
# Example: Verify Apache CXF version in Maven project
mvn dependency:tree | grep cxf

# Check for vulnerable versions and update pom.xml to safe versions:
# For 3.5.x branch: upgrade to 3.5.5 or later
# For 3.4.x branch: upgrade to 3.4.10 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.