Two new security advisories have been released for Apache CXF: - CVE-2014-3623: Apache CXF does not properly enforce the security semantics of SAML SubjectConfirmation methods when used with the TransportBinding
- CVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS) attack Advisories attached to this mail + also available via the CXF security advisories page: http://cxf.apache.org/security-advisories.html Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS) attack Severity: Major Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Apache CXF prior to 3.0.0-milestone1, 2.7.8 and 2.6.11. Description: An Apache CXF JAX-RS service can process SAML tokens received in the authorization header of a request via the SamlHeaderInHandler. However it is possible to cause an infinite loop in the parsing of this header by passing certain bad values for the header, leading to a Denial of Service attack on the service. This has been fixed in revision: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=0b3894f57388b9955f2c33b2295223f2835cd7b3 Migration: CXF 2.6.x users should upgrade to 2.6.11 or later as soon as possible. CXF 2.7.x users should upgrade to 2.7.8 or later as soon as possible. CXF 3.0.x users should upgrade to 3.0.1 or later as soon as possible. Credit: This issue was reported by Dario Amiri (GE Global Research) References: http://cxf.apache.org/security-advisories.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUNAHJAAoJEGe/gLEK1TmDozkIALZ6S+FaW3j8yEOh4twKdcjO Gfl3nFuoQJMs3iFNk8TTNmWr9cg33sqhxHRpHiQ9Z/WNibNNZpOKziNu3r1L06eD M4c+BzFNcpKN6fdoPsB1ivF0OjpYDSyl6fhJ2RwRpR0Jnq6678BfqPh1H/UaUpYC EduwcKxOZ+Y7dkTz8xFWtPh8C9NfuWK8dOP9XTIXTGwp1MzltTWHDWhSq8Xhhjx0 oNevLPJi5h9Oy1Rs6tTDQ2L4mdD+4O97wHVixGGVfsrPaW0re/2gZxxZvWY2MxDz tH6Upwlh5IsLmrawUnknsjM+gyJK4zH+8RkY71VnJZvANY3MOhxbxgiCpr2wdwE= =MsK3 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-3623: Apache CXF does not properly enforce the security semantics of SAML SubjectConfirmation methods when used with the TransportBinding Severity: Major Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Apache CXF prior to 2.7.13 and 3.0.2. Description: There are different security requirements associated with SAML SubjectConfirmation methods. These security requirements are not properly enforced in Apache CXF when used with the TransportBinding, leaving endpoints that rely on SAML for authentication vulnerable to types of spoofing attacks. This has been fixed in revisions (in Apache WSS4J): http://svn.apache.org/viewvc?view=revision&revision=1624308 http://svn.apache.org/viewvc?view=revision&revision=1624287 http://svn.apache.org/viewvc?view=revision&revision=1624262 Migration: CXF 2.7.x users should upgrade to 2.7.13 or later as soon as possible. CXF 3.0.x users should upgrade to 3.0.2 or later as soon as possible. Credit: This issue was reported by Dario Amiri (GE Global Research) References: http://cxf.apache.org/security-advisories.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUNAHXAAoJEGe/gLEK1TmD0WIH/jOJNzXZDV8eZBK8+rBCshxH b2d6w8+aKTaWglMDCEVpPh7EPEDhiOaLeqsN9pfHiuqNSqXX49hFaEDvdN5+7N9Q 21tekKmAP2zuYuVzTgNmrsltUPD4CTb6sH5thecag28XPdbci/fD3LRbKmJtnbpi zmszV3h9tTd23Dk/O33ehyLeh2Y4xIx3vodACO0GtHWhOmLs46Gy56MY1kfkWryG bcYCPSSOJ1VN9KVJJAha00zk4xK51gFcdGB5Wm4QxfVcnMJ4Fk3KKM6Y4+UgTJfX f3xjggCa5DwooZH7NWiccDZ1IMVND4CZ+K/GhLTLAfIL/Sxvd8c1lkFW8NERAeE= =is33 -----END PGP SIGNATURE-----
