| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| CVE-2016-4464: Apache CXF Fediz application plugins do not match the SAML |
| AudienceRestriction values against the list of configured audience URIs. |
| |
| Severity: Minor |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects Apache CXF Fediz 1.2.0, 1.2.1, 1.2.2 and 1.3.0. |
| |
| Description: |
| |
| Apache CXF Fediz is a subproject of Apache CXF which implements the |
| WS-Federation Passive Requestor Profile for SSO specification. It provides a |
| number of container based plugins to enable SSO for Relying Party applications. |
| It is possible to configure a list of audience URIs for the plugins, against |
| which the AudienceRestriction values of the received SAML tokens are supposed |
| to be matched. However, this matching does not actually take place. |
| |
| This means that a token could be accepted by the application plugin (assuming |
| that the signature is trusted) that is targeted for another service, something |
| that could potentially be exploited by an attacker. |
| |
| This has been fixed in revision: |
| |
| https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=commit;h=0006581e9cacbeef46381a223e5671e524d416b6 |
| |
| Migration: |
| |
| Fediz 1.1.x users are not effected by this vulnerability. |
| Fediz 1.2.x users should upgrade to 1.2.3 or later as soon as possible. |
| Fediz 1.3.x users should upgrade to 1.3.1 or later as soon as possible. |
| |
| References: http://cxf.apache.org/security-advisories.html |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v1 |
| |
| iQEcBAEBAgAGBQJX0YdhAAoJEGe/gLEK1TmDiwcH/ihVpJqEM1vFOqxAOxMJ7mHp |
| jNyyF6v/iE++4p5/gPIaJj8ULlqZb1jFs2kU2x6WF+YWAVoCzjF719Kp5a/nAL5N |
| 7BiUbH9Knio+hRiQvgBKXxNOhGUt+cFvJJK72EKv32KIZtmMjQJVTYL+dChKEOv1 |
| 361dCDWCIZBU1EqoYnkd6eN9wuV64P+jSu3nylhztt3Vas7lfGevVw4kG5zm9B35 |
| 2vZ3EylaxMjC4j7QjLl3KdOyCgXfSOYK2gdGJdIvBwiI5Nc1jH+wCP9+Q3O9ABUP |
| oq5pUgWrFxyJT9oxYBTm6Vfoh1N28UU4OLksyhiwmVIbMlg4clGqSXpQ6KINN18= |
| =2TfQ |
| -----END PGP SIGNATURE----- |