Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 24 Oct 2014 19:10:21 +0100
From: Colm O hEigeartaigh <coheigea@...che.org>
To: "users@....apache.org" <users@....apache.org>, "dev@....apache.org" <dev@....apache.org>, 
	Apache Security Response Team <security@...che.org>, oss-security@...ts.openwall.com, 
	bugtraq@...urityfocus.com
Subject: New security advisories released for Apache CXF

Two new security advisories have been released for Apache CXF:

 - CVE-2014-3623: Apache CXF does not properly enforce the security
semantics of SAML SubjectConfirmation methods when used with the
TransportBinding

 - CVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial
of Service (DoS) attack

Advisories attached to this mail + also available via the CXF security
advisories page:

http://cxf.apache.org/security-advisories.html

Colm.

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

[ CONTENT OF TYPE text/html SKIPPED ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial of
Service (DoS) attack

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.0.0-milestone1,
2.7.8 and 2.6.11.

Description:

An Apache CXF JAX-RS service can process SAML tokens received in the
authorization header of a request via the SamlHeaderInHandler. However it is
possible to cause an infinite loop in the parsing of this header by passing 
certain bad values for the header, leading to a Denial of Service attack on
the service.

This has been fixed in revision:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=0b3894f57388b9955f2c33b2295223f2835cd7b3

Migration:

CXF 2.6.x users should upgrade to 2.6.11 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.8 or later as soon as possible.
CXF 3.0.x users should upgrade to 3.0.1 or later as soon as possible.

Credit: This issue was reported by Dario Amiri (GE Global Research)

References: http://cxf.apache.org/security-advisories.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUNAHJAAoJEGe/gLEK1TmDozkIALZ6S+FaW3j8yEOh4twKdcjO
Gfl3nFuoQJMs3iFNk8TTNmWr9cg33sqhxHRpHiQ9Z/WNibNNZpOKziNu3r1L06eD
M4c+BzFNcpKN6fdoPsB1ivF0OjpYDSyl6fhJ2RwRpR0Jnq6678BfqPh1H/UaUpYC
EduwcKxOZ+Y7dkTz8xFWtPh8C9NfuWK8dOP9XTIXTGwp1MzltTWHDWhSq8Xhhjx0
oNevLPJi5h9Oy1Rs6tTDQ2L4mdD+4O97wHVixGGVfsrPaW0re/2gZxxZvWY2MxDz
tH6Upwlh5IsLmrawUnknsjM+gyJK4zH+8RkY71VnJZvANY3MOhxbxgiCpr2wdwE=
=MsK3
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2014-3623: Apache CXF does not properly enforce the security semantics of
SAML SubjectConfirmation methods when used with the TransportBinding

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.7.13 and
3.0.2.

Description:

There are different security requirements associated with SAML
SubjectConfirmation methods. These security requirements are not properly
enforced in Apache CXF when used with the TransportBinding, leaving endpoints
that rely on SAML for authentication vulnerable to types of spoofing attacks.

This has been fixed in revisions (in Apache WSS4J):

http://svn.apache.org/viewvc?view=revision&revision=1624308
http://svn.apache.org/viewvc?view=revision&revision=1624287
http://svn.apache.org/viewvc?view=revision&revision=1624262

Migration:

CXF 2.7.x users should upgrade to 2.7.13 or later as soon as possible.
CXF 3.0.x users should upgrade to 3.0.2 or later as soon as possible.

Credit: This issue was reported by Dario Amiri (GE Global Research)

References: http://cxf.apache.org/security-advisories.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUNAHXAAoJEGe/gLEK1TmD0WIH/jOJNzXZDV8eZBK8+rBCshxH
b2d6w8+aKTaWglMDCEVpPh7EPEDhiOaLeqsN9pfHiuqNSqXX49hFaEDvdN5+7N9Q
21tekKmAP2zuYuVzTgNmrsltUPD4CTb6sH5thecag28XPdbci/fD3LRbKmJtnbpi
zmszV3h9tTd23Dk/O33ehyLeh2Y4xIx3vodACO0GtHWhOmLs46Gy56MY1kfkWryG
bcYCPSSOJ1VN9KVJJAha00zk4xK51gFcdGB5Wm4QxfVcnMJ4Fk3KKM6Y4+UgTJfX
f3xjggCa5DwooZH7NWiccDZ1IMVND4CZ+K/GhLTLAfIL/Sxvd8c1lkFW8NERAeE=
=is33
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ