cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache CXF > CVE-2012-3451
Date Wed, 19 Sep 2012 15:24:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">CVE-2012-3451</a></h2>
    <h4>Page  <b>added</b> by             <a href="">Colm
O hEigeartaigh</a>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>

<p>CVE-2012-3451: Apache CXF is vulnerable to SOAP Action spoofing attacks on<br/>
Document Literal web services.</p>

<p>Severity: Important</p>

<p>Vendor: The Apache Software Foundation</p>

<p>Versions Affected:</p>

<p>This vulnerability affects all released versions of Apache CXF.</p>


<p>Each operation in a SOAP web service can be associated with a SOAP Action<br/>
String (e.g. in the WSDL binding or via an annotation). The web service client<br/>
can send the SOAP Action String as a header with the request as a way of <br/>
letting the web service know what operation is required. </p>

<p>In some cases, CXF uses the received SOAP Action to select the correct<br/>
operation to invoke, and does not check to see that the message body is<br/>
correct. This can be exploitable to execute a SOAP Action spoofing attack,<br/>
where an adversary can execute another operation in the web service by sending<br/>
the corresponding SOAP Action. This attack only works if the different<br/>
operation takes the same parameter types, and hence has somewhat limited<br/>

<p>This attack also only applies for web services that use unique SOAPActions per<br/>
service operation which is not the default in CXF. Also note that WS-Policy<br/>
validation is done against the operation being invoked and thus the incoming<br/>
message must meet those policy requirements as well, also limiting<br/>

<p>This has been fixed in revision:</p>

<p><a href=";revision=1368559"
class="external-link" rel="nofollow">;revision=1368559</a></p>

<p>All released versions of CXF are affected.</p>


<p>Users of CXF prior to 2.4.x should upgrade to either 2.4.9, 2.5.5, or 2.6.2.<br/>
CXF 2.4.x users should upgrade to 2.4.9 as soon as possible.<br/>
CXF 2.5.x users should upgrade to 2.5.5 as soon as possible.<br/>
CXF 2.6.x users should upgrade to 2.6.2 as soon as possible.</p>

<p>References: <a href="" class="external-link"
----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

----<del>END PGP SIGNATURE</del>----</p>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>
       <a href="">View
       <a href=";showCommentArea=true#addcomment">Add

View raw message