cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > CVE-2012-2378
Date Thu, 07 Jun 2012 09:40:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-2378">CVE-2012-2378</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>


<p>CVE-2012-2378: Apache CXF does not pick up some child policies of<br/>
WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.</p>

<p>Severity: Important</p>

<p>Vendor: The Apache Software Foundation</p>

<p>Versions Affected:</p>

<p>Apache CXF 2.4.5 to 2.4.7<br/>
Apache CXF 2.5.1 to 2.5.3<br/>
Apache CXF 2.6.0</p>

<p>Description: </p>

<p>None of the following child policies of a WS-SecurityPolicy 1.1<br/>
(.*)SupportingToken policy are picked up on the client side:</p>

<ul class="alternate" type="square">
	<li>AlgorithmSuite</li>
	<li>SignedParts</li>
	<li>SignedElements</li>
	<li>EncryptedParts</li>
	<li>EncryptedElements</li>
</ul>


<p>Note that all of these policies are picked up on the client side in the most<br/>
common use-cases, for example when an AlgorithmSuite is specified under a<br/>
security binding, or when a SignedParts Element is specified per-operation or<br/>
per-binding. They only do not apply when a SupportingToken is used to sign<br/>
or encrypt some part or element, for example:</p>

<p>&lt;sp:EndorsingSupportingToken<br/>
  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"&gt;<br/>
  ...<br/>
  &lt;sp:SignedParts&gt;<br/>
        &lt;sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" /&gt;<br/>
  &lt;/sp:SignedParts&gt;<br/>
&lt;/sp:EndorsingSupportingToken&gt;</p>

<p>Also note that this does not apply for the WS-SecurityPolicy 1.2 namespace,<br/>
but <b>only</b> for the older WS-SecurityPolicy 1.1 namespace of:</p>

<p>"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy".</p>

<p>This has been fixed in revision:</p>

<p><a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1337150"
class="external-link" rel="nofollow">http://svn.apache.org/viewvc?view=revision&amp;revision=1337150</a></p>

<p>The versions that are affected are CXF 2.4.5 to 2.4.7, CXF 2.5.1 to 2.5.3, and<br/>
CXF 2.6.0. The vulnerability does not exist in CXF 2.3.10, CXF 2.4.4 or 2.5.0.</p>

<p>Migration:</p>

<p>CXF 2.4.5 to 2.4.7 users should upgrade to 2.4.8 as soon as possible.<br/>
CXF 2.5.1 to 2.5.3 users should upgrade to 2.5.4 as soon as possible.<br/>
CXF 2.6.0 users should upgrade to 2.6.1 as soon as possible.</p>

<p>References: <a href="http://cxf.apache.org/security-advisories.html" class="external-link"
rel="nofollow">http://cxf.apache.org/security-advisories.html</a></p>

<p>----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

<p>iQEcBAEBAgAGBQJP0HTJAAoJEGe/gLEK1TmDRsEIAIHNiUGAE9Ct+RAd2XT7yiLk<br/>
5fbN93dB87bFyl2byXBXxUu5vwyPAoT015CDSqqU16g3wNd4WM/WSCF0sNBCOAF9<br/>
qQ+cO0CNXG7xeE9/qfjsePxYDeWu729Et+KUBAmmsGvvY0xcP+zL1DmxP4wM45jT<br/>
2I6r85PLinYh4QeV3o0F6m3R2dFJQWLEpQwmQDl8C+zNObuRdZ6MlgKEPOPz10Ie<br/>
S9xQg7S3w8YPjk8FQGWX5hbRWteGLBftX2VD9rxz9gK2r9YN4eg6BL6S71LoAYNx<br/>
hM1CbT1Q+jFk8Biv7ZvL2l2X59wdk+J+xdYCJomxCEUUFMFEM0dkFBad8BU0nOk=<br/>
=YSM6<br/>
----<del>END PGP SIGNATURE</del>----</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-2378">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-2378?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message