cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > CVE-2012-0803
Date Tue, 07 Feb 2012 10:39:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-0803">CVE-2012-0803</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>


<p>CVE-2012-0803: Apache CXF does not validate UsernameToken policies correctly</p>

<p>Severity: Important</p>

<p>Vendor: The Apache Software Foundation</p>

<p>Versions Affected: Apache CXF 2.4.5 and 2.5.1</p>

<p>Description: CXF does not validate a WS-Security UsernameToken received as part<br/>
of the security header of a SOAP request against a WS-SP UsernameToken policy.</p>

<p>A malicious client could send a request to the endpoint with no UsernameToken,<br/>
and the UsernameToken policy requirement would still be marked as valid.</p>

<p>This has been fixed in revision:</p>

<p><a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1233457"
class="external-link" rel="nofollow">http://svn.apache.org/viewvc?view=revision&amp;revision=1233457</a></p>

<p>This issue was a regression in CXF 2.4.5 and 2.5.1. The vulnerability does not<br/>
exist in CXF 2.4.4 and 2.5.0.</p>

<p>Migration:</p>

<p>CXF 2.4.5 users should upgrade to 2.4.6 as soon as possible.<br/>
CXF 2.5.1 users should upgrade to 2.5.2 as soon as possible.</p>

<p>References: <a href="http://cxf.apache.org/security-advisories.html" class="external-link"
rel="nofollow">http://cxf.apache.org/security-advisories.html</a></p>

<p>----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

<p>iQEcBAEBAgAGBQJPMAVXAAoJEGe/gLEK1TmD6y0H/2aP3A02qoFKeV0oYj7y8BCv<br/>
yPymkAilG6RLZK3kafZREnQ2jY/lCT0xXNP5n+0TYEu56WuS5tGzAeWpQc1TFmbi<br/>
Uq0YTv5RM3TZZ8lzThid+ean1qBU9LuIziQqKWP0QRpw+UipUHq68jTGkAOMePId<br/>
IbXnyogUy0si3jpI7BCnMsDOR8fGx9+t35D5jfcVf4aH+jFP1W4DhjeFbDhMlvSF<br/>
8Z4Pphvd7yi6x469dx0e46cGLaGi/BYyG3C2IrMOAmUXBcYB3g3skZN1nrY1t90n<br/>
IB12w03xishiAZVNs9FsfR3lAa84zX8z7+hrqb8Rlra1evhJBXQ/L583bmMmxKc=<br/>
=iU+M<br/>
----<del>END PGP SIGNATURE</del>----</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-0803">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-0803?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message