lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAB8XdGBwXW5-7C-0rWJ0AifBQ20x960rSST8QqUPOTMYK7autA@mail.gmail.com>
Date: Thu, 7 Jun 2012 10:38:35 +0100
From: Colm O hEigeartaigh <coheigea@...che.org>
To: users@....apache.org, dev@....apache.org, 
	Apache Security Response Team <security@...che.org>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: CVE-2012-2378 - Apache CXF does not pick up some
 child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions
 on the client side.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2012-2378: Apache CXF does not pick up some child policies of
WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

Apache CXF 2.4.5 to 2.4.7
Apache CXF 2.5.1 to 2.5.3
Apache CXF 2.6.0

Description:

None of the following child policies of a WS-SecurityPolicy 1.1
(.*)SupportingToken policy are picked up on the client side:

 - AlgorithmSuite
 - SignedParts
 - SignedElements
 - EncryptedParts
 - EncryptedElements

Note that all of these policies are picked up on the client side in the most
common use-cases, for example when an AlgorithmSuite is specified under a
security binding, or when a SignedParts Element is specified per-operation
or
per-binding. They only do not apply when a SupportingToken is used to sign
or encrypt some part or element, for example:

<sp:EndorsingSupportingToken
  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  ...
  <sp:SignedParts>
        <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"
/>
  </sp:SignedParts>
</sp:EndorsingSupportingToken>

Also note that this does not apply for the WS-SecurityPolicy 1.2 namespace,
but *only* for the older WS-SecurityPolicy 1.1 namespace of:

"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy".

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1337150

The versions that are affected are CXF 2.4.5 to 2.4.7, CXF 2.5.1 to 2.5.3,
and
CXF 2.6.0. The vulnerability does not exist in CXF 2.3.10, CXF 2.4.4 or
2.5.0.

Migration:

CXF 2.4.5 to 2.4.7 users should upgrade to 2.4.8 as soon as possible.
CXF 2.5.1 to 2.5.3 users should upgrade to 2.5.4 as soon as possible.
CXF 2.6.0 users should upgrade to 2.6.1 as soon as possible.

References: http://cxf.apache.org/security-advisories.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJP0HTJAAoJEGe/gLEK1TmDRsEIAIHNiUGAE9Ct+RAd2XT7yiLk
5fbN93dB87bFyl2byXBXxUu5vwyPAoT015CDSqqU16g3wNd4WM/WSCF0sNBCOAF9
qQ+cO0CNXG7xeE9/qfjsePxYDeWu729Et+KUBAmmsGvvY0xcP+zL1DmxP4wM45jT
2I6r85PLinYh4QeV3o0F6m3R2dFJQWLEpQwmQDl8C+zNObuRdZ6MlgKEPOPz10Ie
S9xQg7S3w8YPjk8FQGWX5hbRWteGLBftX2VD9rxz9gK2r9YN4eg6BL6S71LoAYNx
hM1CbT1Q+jFk8Biv7ZvL2l2X59wdk+J+xdYCJomxCEUUFMFEM0dkFBad8BU0nOk=
=YSM6
-----END PGP SIGNATURE-----


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ