lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAB8XdGDhW4HCipVx6YoBDbsoyZ6C9KRsMFnjnsXGEnrpEf6nBg@mail.gmail.com>
Date: Tue, 7 Feb 2012 10:39:45 +0000
From: Colm O hEigeartaigh <coheigea@...che.org>
To: users@....apache.org
Cc: dev@....apache.org, Apache Security Response Team <security@...che.org>,
	bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: CVE-2012-0803: Apache CXF does not validate
	UsernameToken policies correctly

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2012-0803: Apache CXF does not validate UsernameToken policies correctly

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache CXF 2.4.5 and 2.5.1

Description: CXF does not validate a WS-Security UsernameToken received as part
of the security header of a SOAP request against a WS-SP UsernameToken policy.

A malicious client could send a request to the endpoint with no UsernameToken,
and the UsernameToken policy requirement would still be marked as valid.

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1233457

This issue was a regression in CXF 2.4.5 and 2.5.1. The vulnerability does not
exist in CXF 2.4.4 and 2.5.0.

Migration:

CXF 2.4.5 users should upgrade to 2.4.6 as soon as possible.
CXF 2.5.1 users should upgrade to 2.5.2 as soon as possible.

References: http://cxf.apache.org/security-advisories.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJPMAVXAAoJEGe/gLEK1TmD6y0H/2aP3A02qoFKeV0oYj7y8BCv
yPymkAilG6RLZK3kafZREnQ2jY/lCT0xXNP5n+0TYEu56WuS5tGzAeWpQc1TFmbi
Uq0YTv5RM3TZZ8lzThid+ean1qBU9LuIziQqKWP0QRpw+UipUHq68jTGkAOMePId
IbXnyogUy0si3jpI7BCnMsDOR8fGx9+t35D5jfcVf4aH+jFP1W4DhjeFbDhMlvSF
8Z4Pphvd7yi6x469dx0e46cGLaGi/BYyG3C2IrMOAmUXBcYB3g3skZN1nrY1t90n
IB12w03xishiAZVNs9FsfR3lAa84zX8z7+hrqb8Rlra1evhJBXQ/L583bmMmxKc=
=iU+M
-----END PGP SIGNATURE-----

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ