cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > CVE-2013-0239
Date Fri, 08 Feb 2013 11:30:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2013-0239">CVE-2013-0239</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>


<p>CVE-2013-0239: Authentication bypass in the case of WS-SecurityPolicy enabled<br/>
plaintext UsernameTokens.</p>

<p>Severity: Critical</p>

<p>Vendor: The Apache Software Foundation</p>

<p>Versions Affected:</p>

<p>This vulnerability affects all versions of Apache CXF prior to 2.5.9, 2.6.6<br/>
and 2.7.3. </p>

<p>Description:</p>

<p>The following WS-SecurityPolicy 1.3 fragment requires that a WS-Security<br/>
UsernameToken must be present in the security header of a SOAP request:</p>

<p>&lt;sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"&gt;<br/>
    &lt;wsp:Policy&gt;<br/>
        &lt;sp:WssUsernameToken10/&gt;<br/>
    &lt;/wsp:Policy&gt;<br/>
&lt;/sp:UsernameToken&gt;</p>

<p>If a UsernameToken element is sent with no password child element, then a<br/>
policy similar to the policy defined above will completely bypass<br/>
authentication by default. This is due to the use-case of supporting deriving<br/>
keys from a UsernameToken, where a password element would not be sent in the<br/>
token.</p>

<p>The vulnerability does not apply in any of the following circumstances:</p>

<p> a) You are using a custom UsernameTokenValidator which does not allow the<br/>
    'verifyUnknownPassword' use-case, or that otherwise insists that a password<br/>
    must be present in the token (such as the 'JAASUsernameTokenValidator' in<br/>
    WSS4J).<br/>
 b) You are using a 'sp:HashPassword' policy that requires a hashed password<br/>
    to be present in the token.<br/>
 c) You are using the older style of configuring WS-Security without using<br/>
    WS-SecurityPolicy.</p>

<p>If you are relying on WS-SecurityPolicy enabled plaintext UsernameTokens to<br/>
authenticate users, and if neither points a) nor b) apply, then you must<br/>
upgrade to a fixed version of CXF (see below), or else configure a custom<br/>
UsernameTokenValidator implementation to insist that a password element must<br/>
be present.</p>

<p>The fix has been to require a password element in the case of a (non-endorsing)<br/>
SupportingToken.</p>

<p>This has been fixed in revisions:</p>

<p><a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1438424"
class="external-link" rel="nofollow">http://svn.apache.org/viewvc?view=revision&amp;revision=1438424</a></p>

<p>Migration:</p>

<p>Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.<br/>
CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.<br/>
CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.<br/>
CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.</p>

<p>References: <a href="http://cxf.apache.org/security-advisories.html" class="external-link"
rel="nofollow">http://cxf.apache.org/security-advisories.html</a></p>

<p>----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

<p>iQEcBAEBAgAGBQJRFM+nAAoJEGe/gLEK1TmDf/gIAJFUWpot4X9xtbJ5SfEqGwlY<br/>
+FUoeaSuzqyVLmEPhas6eDIrwONDOrQJC9VO6fyJGMtk6rrPtbmcbRGosjb+bSJF<br/>
fpi0aHTvJdZMv2FGWkUHbpJhn0nnmM3BzgKcDhh1GTKDhiDhn4xdD+TKxNQ+xuML<br/>
KjSP6SWXCCL6jvPuu90zPPkyTX3BlR8Mxzr1OxmiGKkU2uB8Mnx+KLgMjDkV/9uf<br/>
+dApxPsqGgtDbETt1RYRrRKGW8S2YSQ61Kmf9Ce5Ewd+pcv3KRxhmerfAf6AwypD<br/>
DhiXacDlm0kjH02fWFbddMKQoL4IxbRmLV8cJSRI6mJ45Fi+r+SlLa2/g7PUxOg=<br/>
=NqSU<br/>
----<del>END PGP SIGNATURE</del>----</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2013-0239">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2013-0239?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message