content/security-advisories.data/CVE-2014-0035.txt.asc - cxf-site - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1


 CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy

 Severity: Major

 Vendor: The Apache Software Foundation

 Versions Affected:

 This vulnerability affects all versions of Apache CXF prior to 2.6.13
 and 2.7.10.

 Description:

 UsernameTokens are sent in plaintext, i.e. not encrypted, by a CXF client that
 uses a SymmetricBinding with EncryptBeforeSigning enabled, and a UsernameToken
 policy that is a *EncryptedSupportingToken. No other binding is affected, and
 SignBeforeEncrypting is not affected either.

 This has been fixed in revisions:

 http://svn.apache.org/viewvc?view=revision&revision=1564724

 Migration:

 Although this vulnerability has been fixed in CXF 2.6.13 and 2.7.10, due to
 other security advisories it is recommended to upgrade to the following
 releases:

 CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
 CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.

 References: http://cxf.apache.org/security-advisories.html

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.14 (GNU/Linux)

 iQEcBAEBAgAGBQJTPq+aAAoJEGe/gLEK1TmDr+YH/2444g2JjtGPNO3vOD3VQPQU
 9O19UYQEhIuCw/fupz443Jgbk7UFBD7YbcgOTx/5j0n7WKsPHSJ4p7U5vjOQ0jKQ
 t+8azHqaD/OvkVTfz/gi58BwD77vAzSc/yrKgjuZl+3Yc6+Sljehi2CsLFXOzlH+
 C353baE/4uCTgW9varZGcFc3b7yi4GA47D9oz8vU7sTVJMzWC67+rQs9GCSp61El
 eOyN+4PE4gpFUbiuQqiprwNIb4y52JrY7ew94QbzDhLi+dJdH4w1FlOUUX6MXqqX
 nBC56gEyuqImiRdfGqfwQd5G53/SEhZEsGl3XchixKFEzyIIwu+0FuOpMQ4/RwE=
 =DEQg
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA1


	CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy

	Severity: Major

	Vendor: The Apache Software Foundation

	Versions Affected:

	This vulnerability affects all versions of Apache CXF prior to 2.6.13
	and 2.7.10.

	Description:

	UsernameTokens are sent in plaintext, i.e. not encrypted, by a CXF client that
	uses a SymmetricBinding with EncryptBeforeSigning enabled, and a UsernameToken
	policy that is a *EncryptedSupportingToken. No other binding is affected, and
	SignBeforeEncrypting is not affected either.

	This has been fixed in revisions:

	http://svn.apache.org/viewvc?view=revision&revision=1564724

	Migration:

	Although this vulnerability has been fixed in CXF 2.6.13 and 2.7.10, due to
	other security advisories it is recommended to upgrade to the following
	releases:

	CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
	CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.

	References: http://cxf.apache.org/security-advisories.html

	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG v1.4.14 (GNU/Linux)

	iQEcBAEBAgAGBQJTPq+aAAoJEGe/gLEK1TmDr+YH/2444g2JjtGPNO3vOD3VQPQU
	9O19UYQEhIuCw/fupz443Jgbk7UFBD7YbcgOTx/5j0n7WKsPHSJ4p7U5vjOQ0jKQ
	t+8azHqaD/OvkVTfz/gi58BwD77vAzSc/yrKgjuZl+3Yc6+Sljehi2CsLFXOzlH+
	C353baE/4uCTgW9varZGcFc3b7yi4GA47D9oz8vU7sTVJMzWC67+rQs9GCSp61El
	eOyN+4PE4gpFUbiuQqiprwNIb4y52JrY7ew94QbzDhLi+dJdH4w1FlOUUX6MXqqX
	nBC56gEyuqImiRdfGqfwQd5G53/SEhZEsGl3XchixKFEzyIIwu+0FuOpMQ4/RwE=
	=DEQg
	-----END PGP SIGNATURE-----