lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAB8XdGBL4Ufoh2Snz8mnsGB69Lh8Q-EgB6DrLbPseNwSZY=SSw@mail.gmail.com>
Date: Wed, 19 Sep 2012 17:03:29 +0100
From: Colm O hEigeartaigh <coheigea@...che.org>
To: users@....apache.org, dev@....apache.org, security@...che.org, 
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: CVE-2012-3451 - Apache CXF is vulnerable to SOAP
 Action spoofing attacks on Document Literal web services.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2012-3451: Apache CXF is vulnerable to SOAP Action spoofing attacks on
Document Literal web services.

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all released versions of Apache CXF.

Description:

Each operation in a SOAP web service can be associated with a SOAP Action
String (e.g. in the WSDL binding or via an annotation). The web service
client
can send the SOAP Action String as a header with the request as a way of
letting the web service know what operation is required.

In some cases, CXF uses the received SOAP Action to select the correct
operation to invoke, and does not check to see that the message body is
correct. This can be exploitable to execute a SOAP Action spoofing attack,
where an adversary can execute another operation in the web service by
sending
the corresponding SOAP Action. This attack only works if the different
operation takes the same parameter types, and hence has somewhat limited
applicability.

This attack also only applies for web services that use unique SOAPActions
per
service operation which is not the default in CXF. Also note that WS-Policy
validation is done against the operation being invoked and thus the incoming
message must meet those policy requirements as well, also limiting
applicability.

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1368559

All released versions of CXF are affected.

Migration:

Users of CXF prior to 2.4.x should upgrade to either 2.4.9, 2.5.5, or 2.6.2.
CXF 2.4.x users should upgrade to 2.4.9 as soon as possible.
CXF 2.5.x users should upgrade to 2.5.5 as soon as possible.
CXF 2.6.x users should upgrade to 2.6.2 as soon as possible.

References: http://cxf.apache.org/security-advisories.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJQWeNgAAoJEGe/gLEK1TmD2HYH/AomMsGxr/1WwT9dRQqUROG8
/2DLGe6lF2Ww+BxCxruxRosTU6QciAJqMWyDbIuMq8ANh9lEJNfjd+fxIGque8wo
2nWTc4U/AwLMgBxzonIH4uPDj5HK1R4LGqegzi78/vzJu0F3Q+M7mWPPwLOl6mCg
d0t+PSgWAsi8IVHAd99rxHSOwGnoiDjVjCaSMSpZ/nkYv9giO3YMjf69wKajQmVz
toFBckis8w0GN/GJ52LPPRcHc3ibpRIcPQXPscWdm0jq1b2UYTEwA5ylGMgJw5Lh
VBl8BTGO/dEkuA937UlYu+zUtbRb24RNf9e9eBgzHK32HNoM6zwBgtOf+owjTdM=
=k1gm
-----END PGP SIGNATURE-----


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ