| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| |
| CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy |
| |
| Severity: Major |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache CXF prior to 2.6.13 |
| and 2.7.10. |
| |
| Description: |
| |
| UsernameTokens are sent in plaintext, i.e. not encrypted, by a CXF client that |
| uses a SymmetricBinding with EncryptBeforeSigning enabled, and a UsernameToken |
| policy that is a *EncryptedSupportingToken. No other binding is affected, and |
| SignBeforeEncrypting is not affected either. |
| |
| This has been fixed in revisions: |
| |
| http://svn.apache.org/viewvc?view=revision&revision=1564724 |
| |
| Migration: |
| |
| Although this vulnerability has been fixed in CXF 2.6.13 and 2.7.10, due to |
| other security advisories it is recommended to upgrade to the following |
| releases: |
| |
| CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible. |
| CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible. |
| |
| References: http://cxf.apache.org/security-advisories.html |
| |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v1.4.14 (GNU/Linux) |
| |
| iQEcBAEBAgAGBQJTPq+aAAoJEGe/gLEK1TmDr+YH/2444g2JjtGPNO3vOD3VQPQU |
| 9O19UYQEhIuCw/fupz443Jgbk7UFBD7YbcgOTx/5j0n7WKsPHSJ4p7U5vjOQ0jKQ |
| t+8azHqaD/OvkVTfz/gi58BwD77vAzSc/yrKgjuZl+3Yc6+Sljehi2CsLFXOzlH+ |
| C353baE/4uCTgW9varZGcFc3b7yi4GA47D9oz8vU7sTVJMzWC67+rQs9GCSp61El |
| eOyN+4PE4gpFUbiuQqiprwNIb4y52JrY7ew94QbzDhLi+dJdH4w1FlOUUX6MXqqX |
| nBC56gEyuqImiRdfGqfwQd5G53/SEhZEsGl3XchixKFEzyIIwu+0FuOpMQ4/RwE= |
| =DEQg |
| -----END PGP SIGNATURE----- |