cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > CVE-2012-3451
Date Wed, 19 Sep 2012 15:24:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-3451">CVE-2012-3451</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>


<p>CVE-2012-3451: Apache CXF is vulnerable to SOAP Action spoofing attacks on<br/>
Document Literal web services.</p>

<p>Severity: Important</p>

<p>Vendor: The Apache Software Foundation</p>

<p>Versions Affected:</p>

<p>This vulnerability affects all released versions of Apache CXF.</p>

<p>Description:</p>

<p>Each operation in a SOAP web service can be associated with a SOAP Action<br/>
String (e.g. in the WSDL binding or via an annotation). The web service client<br/>
can send the SOAP Action String as a header with the request as a way of <br/>
letting the web service know what operation is required. </p>

<p>In some cases, CXF uses the received SOAP Action to select the correct<br/>
operation to invoke, and does not check to see that the message body is<br/>
correct. This can be exploitable to execute a SOAP Action spoofing attack,<br/>
where an adversary can execute another operation in the web service by sending<br/>
the corresponding SOAP Action. This attack only works if the different<br/>
operation takes the same parameter types, and hence has somewhat limited<br/>
applicability.</p>

<p>This attack also only applies for web services that use unique SOAPActions per<br/>
service operation which is not the default in CXF. Also note that WS-Policy<br/>
validation is done against the operation being invoked and thus the incoming<br/>
message must meet those policy requirements as well, also limiting<br/>
applicability.</p>

<p>This has been fixed in revision:</p>

<p><a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1368559"
class="external-link" rel="nofollow">http://svn.apache.org/viewvc?view=revision&amp;revision=1368559</a></p>

<p>All released versions of CXF are affected.</p>

<p>Migration:</p>

<p>Users of CXF prior to 2.4.x should upgrade to either 2.4.9, 2.5.5, or 2.6.2.<br/>
CXF 2.4.x users should upgrade to 2.4.9 as soon as possible.<br/>
CXF 2.5.x users should upgrade to 2.5.5 as soon as possible.<br/>
CXF 2.6.x users should upgrade to 2.6.2 as soon as possible.</p>

<p>References: <a href="http://cxf.apache.org/security-advisories.html" class="external-link"
rel="nofollow">http://cxf.apache.org/security-advisories.html</a><br/>
----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

<p>iQEcBAEBAgAGBQJQWeNgAAoJEGe/gLEK1TmD2HYH/AomMsGxr/1WwT9dRQqUROG8<br/>
/2DLGe6lF2Ww+BxCxruxRosTU6QciAJqMWyDbIuMq8ANh9lEJNfjd+fxIGque8wo<br/>
2nWTc4U/AwLMgBxzonIH4uPDj5HK1R4LGqegzi78/vzJu0F3Q+M7mWPPwLOl6mCg<br/>
d0t+PSgWAsi8IVHAd99rxHSOwGnoiDjVjCaSMSpZ/nkYv9giO3YMjf69wKajQmVz<br/>
toFBckis8w0GN/GJ52LPPRcHc3ibpRIcPQXPscWdm0jq1b2UYTEwA5ylGMgJw5Lh<br/>
VBl8BTGO/dEkuA937UlYu+zUtbRb24RNf9e9eBgzHK32HNoM6zwBgtOf+owjTdM=<br/>
=k1gm<br/>
----<del>END PGP SIGNATURE</del>----</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-3451">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-3451?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message