CVE-2024-29736 Overview
CVE-2024-29736 is a Server-Side Request Forgery (SSRF) vulnerability in the Web Application Description Language (WADL) service description component of Apache CXF. The flaw affects Apache CXF versions prior to 4.0.5, 3.6.4, and 3.5.9. Attackers can perform SSRF-style attacks against REST web services when a custom stylesheet parameter is configured on the target service. The vulnerability is tracked as CWE-918: Server-Side Request Forgery and requires no authentication or user interaction to exploit over the network.
Critical Impact
An unauthenticated remote attacker can coerce a vulnerable Apache CXF endpoint into issuing arbitrary HTTP requests, exposing internal services, metadata endpoints, and protected resources that should not be reachable from the public internet.
Affected Products
- Apache CXF versions prior to 4.0.5
- Apache CXF versions prior to 3.6.4 (3.6.x branch)
- Apache CXF versions prior to 3.5.9 (3.5.x branch)
Discovery Timeline
- 2024-07-19 - CVE-2024-29736 published to the National Vulnerability Database (NVD)
- 2024-11-15 - NetApp publishes downstream advisory NTAP-20241115-0003
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-29736
Vulnerability Analysis
Apache CXF is a widely deployed open-source services framework used to build SOAP and REST web services on the Java Virtual Machine. The vulnerable code path resides in the WADL service description generator, which produces machine-readable descriptions of REST endpoints. When a custom stylesheet parameter is configured, CXF processes a user-supplied value that influences an outbound request, but the framework does not adequately validate the destination before fetching it.
Attackers exploit this behavior by submitting a crafted request that points the stylesheet retrieval logic at internal network resources. The CXF process, running with the service account's network privileges, then performs the request on the attacker's behalf and may return the response or side effects to the caller.
Root Cause
The root cause is insufficient validation of URLs supplied through the custom stylesheet parameter in WADL processing. The framework treats the attacker-controlled value as a trusted resource locator and dispatches an HTTP request without enforcing an allowlist, scheme restriction, or destination policy. This pattern matches the classic SSRF weakness described in CWE-918.
Attack Vector
Exploitation requires that the target service has a custom stylesheet parameter configured. An unauthenticated attacker sends an HTTP request to the WADL endpoint with a stylesheet parameter pointing at an internal target such as http://169.254.169.254/latest/meta-data/ on cloud workloads or an internal admin interface. The CXF server resolves and fetches the URL, producing the SSRF condition. Refer to the Apache CXF mailing list advisory for vendor-published technical details.
No verified public proof-of-concept code is available at the time of writing.
Detection Methods for CVE-2024-29736
Indicators of Compromise
- Unexpected outbound HTTP or HTTPS requests originating from the Apache CXF service process to internal IP ranges, link-local addresses such as 169.254.169.254, or localhost.
- WADL endpoint access entries containing a stylesheet query parameter referencing external or internal URLs.
- Anomalous DNS lookups from the CXF host for domains controlled by an attacker, often used as SSRF callback canaries.
Detection Strategies
- Inspect web server and reverse proxy logs for requests targeting WADL description endpoints that include a stylesheet parameter with a URL value.
- Correlate inbound REST requests with subsequent outbound connections from the Java process to identify SSRF chains.
- Apply CWE-918 detection rules in static and dynamic application security testing tools against deployed CXF services.
Monitoring Recommendations
- Forward CXF, application server, and egress firewall logs to a centralized analytics platform for cross-source correlation.
- Alert on connections from application servers to cloud instance metadata endpoints, which legitimate REST services should not contact.
- Track the running version of Apache CXF across the fleet and flag any host running a release earlier than 4.0.5, 3.6.4, or 3.5.9.
How to Mitigate CVE-2024-29736
Immediate Actions Required
- Upgrade Apache CXF to 4.0.5, 3.6.4, 3.5.9, or later on every affected host and rebuild dependent applications.
- Audit all CXF service configurations for use of a custom stylesheet parameter and disable it where not strictly required.
- Restrict egress network access from application servers running CXF so they cannot reach cloud metadata services or internal management interfaces.
Patch Information
The Apache CXF project addressed the SSRF flaw in versions 4.0.5, 3.6.4, and 3.5.9. Patch details and release notes are available in the Apache CXF mailing list announcement and the OSS-Security mailing list post. Downstream consumers should also review the NetApp advisory NTAP-20241115-0003 for affected bundled products.
Workarounds
- Remove or unset the custom stylesheet parameter from CXF service configuration if upgrade is not immediately possible.
- Place a reverse proxy or web application firewall in front of CXF endpoints to block requests carrying a stylesheet query parameter with a URL value.
- Enforce egress filtering at the host or network layer so the CXF process can only reach explicitly approved destinations.
# Configuration example: block stylesheet parameter at an Nginx reverse proxy
location /services/ {
if ($arg_stylesheet) {
return 400;
}
proxy_pass http://cxf_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
