| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| |
| CVE-2014-0034: The SecurityTokenService accepts certain invalid SAML Tokens as valid |
| |
| Severity: Major |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache CXF prior to 2.6.12 |
| and 2.7.9. |
| |
| Description: |
| |
| The SecurityTokenService (STS) provided as part of Apache CXF has bindings to |
| issue, validate, renew and cancel tokens. The main use-case is to issue SAML |
| tokens. However, a less common use-case is to use the STS to validate SAML |
| tokens. The vulnerability is that there are certain circumstances in which the |
| STS will accept an invalid SAML token as valid if caching is enabled. |
| |
| This has been fixed in revisions: |
| |
| http://svn.apache.org/viewvc?view=revision&revision=1551228 |
| |
| Migration: |
| |
| Although this vulnerability has been fixed in CXF 2.6.12 and 2.7.9, due to |
| other security advisories it is recommended to upgrade to the following |
| releases: |
| |
| CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible. |
| CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible. |
| |
| References: http://cxf.apache.org/security-advisories.html |
| |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v1.4.14 (GNU/Linux) |
| |
| iQEcBAEBAgAGBQJTPq+DAAoJEGe/gLEK1TmDkYIH/jZzuSAA43eI/MhFRuFDEpIJ |
| /xI7xCk1jzFxoWNY9wBYdleYsI67Fwg6IZ6wyLuATicZRJxR+XVOMtglT7NLU4hd |
| ucml3AU8ahUNANebttK8/uJMXVmGRYq5YrcQivkz+D2Z57GFLYP4xD16RlSRoQ8u |
| 14f47wgoDw3P6S1daRGnJTG03A1re+iTADPuFvB4njMCGHQN2a0+3KzD15NZHEhF |
| owN0BEj7T2tAVAOBgLqy9n9XbnmmXIUgKXaqyfYmZOi4wy7oCHYC+yPt5fiaAhvL |
| TtzE7SjiPw6GAzC5NMSpjJYoPp8t1CaCwvnG8R0vOKgKtz6B6xT5rNBPNctkO8A= |
| =b4dY |
| -----END PGP SIGNATURE----- |