cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > CVE-2012-5633
Date Fri, 08 Feb 2013 11:29:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-5633">CVE-2012-5633</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>


<p>CVE-2012-5633: WSS4JInInterceptor always allows HTTP Get requests from browser </p>

<p>Severity: Critical</p>

<p>Vendor: The Apache Software Foundation</p>

<p>Versions Affected:</p>

<p>This vulnerability affects all versions of Apache CXF prior to 2.5.8, 2.6.5<br/>
and 2.7.2. CXF 2.7.1 is not affected by default, however the vulnerability<br/>
exists if you are explicitly adding the URIMappingInterceptor to the default<br/>
chain.</p>

<p>Description:</p>

<p>The URIMappingInterceptor in CXF is a legacy interceptor that allows some basic<br/>
"rest style" access to a simple SOAP service. The functionality provided by<br/>
this interceptor has since been replaced by the JAX-RS standard.</p>

<p>An example of how this interceptor works is as follows. A simple "double it"<br/>
webservice is defined as:</p>

<p>@WebService(name = "DoubleItPortType")<br/>
public interface DoubleItPortType </p>
<div class="error"><span class="error">Unknown macro: {
    @WebMethod(operationName = &quot;DoubleIt&quot;)
    public int doubleIt(
        @WebParam(name = &quot;numberToDouble&quot;) int numberToDouble
    );
}</span> </div>

<p>The URIMappingInterceptor can allow a REST client access the service via a GET<br/>
request to a URL like:</p>

<p><a href="http://localhost:8080/DoubleItPort/DoubleIt&amp;numberToDouble=20"
class="external-link" rel="nofollow">http://localhost:8080/DoubleItPort/DoubleIt&amp;numberToDouble=20</a></p>

<p>The vulnerability is when a simple SOAP service is secured with the<br/>
WSS4JInInterceptor, which enables WS-Security processing of the request. <br/>
WS-Security processing is completely by-passed in the case of a HTTP GET<br/>
request, and so access to the service can be enabled by the<br/>
URIMappingInterceptor.</p>

<p>This is a critical vulnerability if you are using a WS-Security UsernameToken<br/>
or a SOAP message signature via the WSS4JInInterceptor to authenticate users<br/>
for a simple SOAP service. Please note that this advisory does not apply if <br/>
you are using WS-SecurityPolicy to secure the service, as the relevant policies<br/>
will not be asserted. Also note that this attack is only applicable to <br/>
relatively simple services that can be mapped to a URI via the<br/>
URIMappingInterceptor.</p>

<p>This has been fixed in revisions:</p>

<p><a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1409324"
class="external-link" rel="nofollow">http://svn.apache.org/viewvc?view=revision&amp;revision=1409324</a>
<a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1420698" class="external-link"
rel="nofollow">http://svn.apache.org/viewvc?view=revision&amp;revision=1420698</a></p>

<p>Migration:</p>

<p>Although this issue is fixed in CXF 2.5.8, 2.6.5 and 2.7.2, due to a separate<br/>
security vulnerability (CVE-2013-0239), CXF users should upgrade to the<br/>
following versions:</p>

<p>Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.<br/>
CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.<br/>
CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.<br/>
CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.</p>

<p>References: <a href="http://cxf.apache.org/security-advisories.html" class="external-link"
rel="nofollow">http://cxf.apache.org/security-advisories.html</a></p>

<p>----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

<p>iQEcBAEBAgAGBQJRFM+PAAoJEGe/gLEK1TmDLW8IAKrzgMRi0avREKTbK3xwVcK4<br/>
OhpIc2ZckiHjuhTd4CAfR+8MblIx2aVKTywcIwbvSkwuqAj2YnHrc33RFLA2ifNU<br/>
00tKHlDfYWU2MzP+nPPHtgFMQbb9XclINLeCl8qiJAeZTW3gYOBEQ1XHL7yM1f8E<br/>
i3NSyIaIaRHmgB0IDWMNd1pQvkB6OrXJvxPWhkL6ea+GaCaC5+wInQWBWmNUOsj4<br/>
m/qnalxDgmRCHSLiHNw6N0l1Qb/nsL45MNvmLQglXZZAR1+npb1jtqega0DchFn7<br/>
ohEyVJpkFuASPcPsqeSpSbEYixjXSQCnJvw6RZlOvfXC7F6u49xjrRiskP/RBX0=<br/>
=IP0q<br/>
----<del>END PGP SIGNATURE</del>----</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-5633">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-5633?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message