[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAB8XdGDhW4HCipVx6YoBDbsoyZ6C9KRsMFnjnsXGEnrpEf6nBg@mail.gmail.com>
Date: Tue, 7 Feb 2012 10:39:45 +0000
From: Colm O hEigeartaigh <coheigea@...che.org>
To: users@....apache.org
Cc: dev@....apache.org, Apache Security Response Team <security@...che.org>,
bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: CVE-2012-0803: Apache CXF does not validate
UsernameToken policies correctly
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2012-0803: Apache CXF does not validate UsernameToken policies correctly
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache CXF 2.4.5 and 2.5.1
Description: CXF does not validate a WS-Security UsernameToken received as part
of the security header of a SOAP request against a WS-SP UsernameToken policy.
A malicious client could send a request to the endpoint with no UsernameToken,
and the UsernameToken policy requirement would still be marked as valid.
This has been fixed in revision:
http://svn.apache.org/viewvc?view=revision&revision=1233457
This issue was a regression in CXF 2.4.5 and 2.5.1. The vulnerability does not
exist in CXF 2.4.4 and 2.5.0.
Migration:
CXF 2.4.5 users should upgrade to 2.4.6 as soon as possible.
CXF 2.5.1 users should upgrade to 2.5.2 as soon as possible.
References: http://cxf.apache.org/security-advisories.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJPMAVXAAoJEGe/gLEK1TmD6y0H/2aP3A02qoFKeV0oYj7y8BCv
yPymkAilG6RLZK3kafZREnQ2jY/lCT0xXNP5n+0TYEu56WuS5tGzAeWpQc1TFmbi
Uq0YTv5RM3TZZ8lzThid+ean1qBU9LuIziQqKWP0QRpw+UipUHq68jTGkAOMePId
IbXnyogUy0si3jpI7BCnMsDOR8fGx9+t35D5jfcVf4aH+jFP1W4DhjeFbDhMlvSF
8Z4Pphvd7yi6x469dx0e46cGLaGi/BYyG3C2IrMOAmUXBcYB3g3skZN1nrY1t90n
IB12w03xishiAZVNs9FsfR3lAa84zX8z7+hrqb8Rlra1evhJBXQ/L583bmMmxKc=
=iU+M
-----END PGP SIGNATURE-----
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists