cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache CXF > CVE-2012-2379
Date Thu, 07 Jun 2012 09:43:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">CVE-2012-2379</a></h2>
    <h4>Page  <b>added</b> by             <a href="">Colm
O hEigeartaigh</a>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>

<p>CVE-2012-2379: Apache CXF does not verify that elements were signed or <br/>
encrypted by a particular Supporting Token.</p>

<p>Severity: Important</p>

<p>Vendor: The Apache Software Foundation</p>

<p>Versions Affected:</p>

<p>This vulnerability affects all released versions of Apache CXF.</p>

<p>Description: </p>

<p>Apache CXF currently validates WS-SecurityPolicy SignedParts, SignedElements,<br/>
EncryptedParts and EncryptedElements policies by checking to see if the<br/>
matching elements are signed or encrypted if they are included in the request.<br/>
However, CXF does not ensure that the elements were signed or encrypted by<br/>
a particular token, if these policies are specified as children of a <br/>
Supporting Token. For example, the following policy requires that (the private<br/>
key associated with) an X.509 Token sign the WS-Addressing "To" header. CXF<br/>
currently checks to see whether the header was signed, but not by a X.509<br/>
Token in particular:</p>

  &lt;sp:X509Token sp:IncludeToken="..."&gt;...&lt;/sp:X509Token&gt;<br/>
        &lt;sp:Header Name="To" Namespace="" /&gt;<br/>

<p>Note that this applies for both WS-SecurityPolicy 1.1 and 1.2 policies.</p>

<p>This has been fixed in revision:</p>

<p><a href=";view=rev" class="external-link"

<p>All released versions of CXF are affected.</p>


<p>Users of CXF prior to 2.4.x should upgrade to either 2.4.8, 2.5.4, or 2.6.1.<br/>
CXF 2.4.5 to 2.4.7 users should upgrade to 2.4.8 as soon as possible.<br/>
CXF 2.5.1 to 2.5.3 users should upgrade to 2.5.4 as soon as possible.<br/>
CXF 2.6.0 users should upgrade to 2.6.1 as soon as possible.</p>

<p>References: <a href="" class="external-link"

<p>----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

----<del>END PGP SIGNATURE</del>----</p>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>
       <a href="">View
       <a href=";showCommentArea=true#addcomment">Add

View raw message