cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache CXF > CVE-2012-5633
Date Fri, 08 Feb 2013 11:29:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">CVE-2012-5633</a></h2>
    <h4>Page  <b>added</b> by             <a href="">Colm
O hEigeartaigh</a>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>

<p>CVE-2012-5633: WSS4JInInterceptor always allows HTTP Get requests from browser </p>

<p>Severity: Critical</p>

<p>Vendor: The Apache Software Foundation</p>

<p>Versions Affected:</p>

<p>This vulnerability affects all versions of Apache CXF prior to 2.5.8, 2.6.5<br/>
and 2.7.2. CXF 2.7.1 is not affected by default, however the vulnerability<br/>
exists if you are explicitly adding the URIMappingInterceptor to the default<br/>


<p>The URIMappingInterceptor in CXF is a legacy interceptor that allows some basic<br/>
"rest style" access to a simple SOAP service. The functionality provided by<br/>
this interceptor has since been replaced by the JAX-RS standard.</p>

<p>An example of how this interceptor works is as follows. A simple "double it"<br/>
webservice is defined as:</p>

<p>@WebService(name = "DoubleItPortType")<br/>
public interface DoubleItPortType </p>
<div class="error"><span class="error">Unknown macro: {
    @WebMethod(operationName = &quot;DoubleIt&quot;)
    public int doubleIt(
        @WebParam(name = &quot;numberToDouble&quot;) int numberToDouble
}</span> </div>

<p>The URIMappingInterceptor can allow a REST client access the service via a GET<br/>
request to a URL like:</p>

<p><a href="http://localhost:8080/DoubleItPort/DoubleIt&amp;numberToDouble=20"
class="external-link" rel="nofollow">http://localhost:8080/DoubleItPort/DoubleIt&amp;numberToDouble=20</a></p>

<p>The vulnerability is when a simple SOAP service is secured with the<br/>
WSS4JInInterceptor, which enables WS-Security processing of the request. <br/>
WS-Security processing is completely by-passed in the case of a HTTP GET<br/>
request, and so access to the service can be enabled by the<br/>

<p>This is a critical vulnerability if you are using a WS-Security UsernameToken<br/>
or a SOAP message signature via the WSS4JInInterceptor to authenticate users<br/>
for a simple SOAP service. Please note that this advisory does not apply if <br/>
you are using WS-SecurityPolicy to secure the service, as the relevant policies<br/>
will not be asserted. Also note that this attack is only applicable to <br/>
relatively simple services that can be mapped to a URI via the<br/>

<p>This has been fixed in revisions:</p>

<p><a href=";revision=1409324"
class="external-link" rel="nofollow">;revision=1409324</a>
<a href=";revision=1420698" class="external-link"


<p>Although this issue is fixed in CXF 2.5.8, 2.6.5 and 2.7.2, due to a separate<br/>
security vulnerability (CVE-2013-0239), CXF users should upgrade to the<br/>
following versions:</p>

<p>Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.<br/>
CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.<br/>
CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.<br/>
CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.</p>

<p>References: <a href="" class="external-link"

<p>----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

----<del>END PGP SIGNATURE</del>----</p>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>
       <a href="">View
       <a href=";showCommentArea=true#addcomment">Add

View raw message