cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > CVE-2012-2379
Date Thu, 07 Jun 2012 09:43:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-2379">CVE-2012-2379</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>


<p>CVE-2012-2379: Apache CXF does not verify that elements were signed or <br/>
encrypted by a particular Supporting Token.</p>

<p>Severity: Important</p>

<p>Vendor: The Apache Software Foundation</p>

<p>Versions Affected:</p>

<p>This vulnerability affects all released versions of Apache CXF.</p>

<p>Description: </p>

<p>Apache CXF currently validates WS-SecurityPolicy SignedParts, SignedElements,<br/>
EncryptedParts and EncryptedElements policies by checking to see if the<br/>
matching elements are signed or encrypted if they are included in the request.<br/>
However, CXF does not ensure that the elements were signed or encrypted by<br/>
a particular token, if these policies are specified as children of a <br/>
Supporting Token. For example, the following policy requires that (the private<br/>
key associated with) an X.509 Token sign the WS-Addressing "To" header. CXF<br/>
currently checks to see whether the header was signed, but not by a X.509<br/>
Token in particular:</p>

<p>&lt;sp:SupportingToken&gt;<br/>
  &lt;sp:X509Token sp:IncludeToken="..."&gt;...&lt;/sp:X509Token&gt;<br/>
  &lt;sp:SignedParts&gt;<br/>
        &lt;sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" /&gt;<br/>
  &lt;/sp:SignedParts&gt;<br/>
&lt;/sp:SupportingToken&gt;</p>

<p>Note that this applies for both WS-SecurityPolicy 1.1 and 1.2 policies.</p>

<p>This has been fixed in revision:</p>

<p><a href="http://svn.apache.org/viewvc?rev=1338219&amp;view=rev" class="external-link"
rel="nofollow">http://svn.apache.org/viewvc?rev=1338219&amp;view=rev</a></p>

<p>All released versions of CXF are affected.</p>

<p>Migration:</p>

<p>Users of CXF prior to 2.4.x should upgrade to either 2.4.8, 2.5.4, or 2.6.1.<br/>
CXF 2.4.5 to 2.4.7 users should upgrade to 2.4.8 as soon as possible.<br/>
CXF 2.5.1 to 2.5.3 users should upgrade to 2.5.4 as soon as possible.<br/>
CXF 2.6.0 users should upgrade to 2.6.1 as soon as possible.</p>

<p>References: <a href="http://cxf.apache.org/security-advisories.html" class="external-link"
rel="nofollow">http://cxf.apache.org/security-advisories.html</a></p>

<p>----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

<p>iQEcBAEBAgAGBQJP0HTcAAoJEGe/gLEK1TmDFVwH/Agv7RZZh8osal/xBWENZYKE<br/>
LrLK51XzYuASo6B6ezU69HsVmgLpbopl94Rhn7mbKdz0dFG417WbqftXz81PFc0N<br/>
UYIh8zNf/SAgm+7onRq9kawFqp28cbP2B1hkhT16q0BEMcB4bJ06YLR8J7VHcyxu<br/>
QW//mMuOszVvz1Pn6jlcaQryQ8tvwWPT1Li/L5QmZxmw/M4N9joOEtIp/3kJ+HhX<br/>
vW5BW9/9x4BSRU50dF13/viStUqUh5bZDDz1R6qbYm8IDU4F2eC8lc5KcGfBvbM7<br/>
uUmVTtsKsdlRo8d2gUL0iyCKp7n+2w9D19Y+gcUvsqKZGwQE/LuryDVNK4EFeBc=<br/>
=hkRS<br/>
----<del>END PGP SIGNATURE</del>----</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-2379">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-2379?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message