content/security-advisories.data/CVE-2016-4464.txt.asc - cxf-site - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 CVE-2016-4464: Apache CXF Fediz application plugins do not match the SAML
 AudienceRestriction values against the list of configured audience URIs.

 Severity: Minor

 Vendor: The Apache Software Foundation

 Versions Affected:

 This vulnerability affects Apache CXF Fediz 1.2.0, 1.2.1, 1.2.2 and 1.3.0.

 Description:

 Apache CXF Fediz is a subproject of Apache CXF which implements the
 WS-Federation Passive Requestor Profile for SSO specification. It provides a
 number of container based plugins to enable SSO for Relying Party applications.
 It is possible to configure a list of audience URIs for the plugins, against
 which the AudienceRestriction values of the received SAML tokens are supposed
 to be matched. However, this matching does not actually take place.

 This means that a token could be accepted by the application plugin (assuming
 that the signature is trusted) that is targeted for another service, something
 that could potentially be exploited by an attacker.

 This has been fixed in revision:

 https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=commit;h=0006581e9cacbeef46381a223e5671e524d416b6

 Migration:

 Fediz 1.1.x users are not effected by this vulnerability.
 Fediz 1.2.x users should upgrade to 1.2.3 or later as soon as possible.
 Fediz 1.3.x users should upgrade to 1.3.1 or later as soon as possible.

 References: http://cxf.apache.org/security-advisories.html
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1

 iQEcBAEBAgAGBQJX0YdhAAoJEGe/gLEK1TmDiwcH/ihVpJqEM1vFOqxAOxMJ7mHp
 jNyyF6v/iE++4p5/gPIaJj8ULlqZb1jFs2kU2x6WF+YWAVoCzjF719Kp5a/nAL5N
 7BiUbH9Knio+hRiQvgBKXxNOhGUt+cFvJJK72EKv32KIZtmMjQJVTYL+dChKEOv1
 361dCDWCIZBU1EqoYnkd6eN9wuV64P+jSu3nylhztt3Vas7lfGevVw4kG5zm9B35
 2vZ3EylaxMjC4j7QjLl3KdOyCgXfSOYK2gdGJdIvBwiI5Nc1jH+wCP9+Q3O9ABUP
 oq5pUgWrFxyJT9oxYBTm6Vfoh1N28UU4OLksyhiwmVIbMlg4clGqSXpQ6KINN18=
 =2TfQ
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA1

	CVE-2016-4464: Apache CXF Fediz application plugins do not match the SAML
	AudienceRestriction values against the list of configured audience URIs.

	Severity: Minor

	Vendor: The Apache Software Foundation

	Versions Affected:

	This vulnerability affects Apache CXF Fediz 1.2.0, 1.2.1, 1.2.2 and 1.3.0.

	Description:

	Apache CXF Fediz is a subproject of Apache CXF which implements the
	WS-Federation Passive Requestor Profile for SSO specification. It provides a
	number of container based plugins to enable SSO for Relying Party applications.
	It is possible to configure a list of audience URIs for the plugins, against
	which the AudienceRestriction values of the received SAML tokens are supposed
	to be matched. However, this matching does not actually take place.

	This means that a token could be accepted by the application plugin (assuming
	that the signature is trusted) that is targeted for another service, something
	that could potentially be exploited by an attacker.

	This has been fixed in revision:

	https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=commit;h=0006581e9cacbeef46381a223e5671e524d416b6

	Migration:

	Fediz 1.1.x users are not effected by this vulnerability.
	Fediz 1.2.x users should upgrade to 1.2.3 or later as soon as possible.
	Fediz 1.3.x users should upgrade to 1.3.1 or later as soon as possible.

	References: http://cxf.apache.org/security-advisories.html
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG v1

	iQEcBAEBAgAGBQJX0YdhAAoJEGe/gLEK1TmDiwcH/ihVpJqEM1vFOqxAOxMJ7mHp
	jNyyF6v/iE++4p5/gPIaJj8ULlqZb1jFs2kU2x6WF+YWAVoCzjF719Kp5a/nAL5N
	7BiUbH9Knio+hRiQvgBKXxNOhGUt+cFvJJK72EKv32KIZtmMjQJVTYL+dChKEOv1
	361dCDWCIZBU1EqoYnkd6eN9wuV64P+jSu3nylhztt3Vas7lfGevVw4kG5zm9B35
	2vZ3EylaxMjC4j7QjLl3KdOyCgXfSOYK2gdGJdIvBwiI5Nc1jH+wCP9+Q3O9ABUP
	oq5pUgWrFxyJT9oxYBTm6Vfoh1N28UU4OLksyhiwmVIbMlg4clGqSXpQ6KINN18=
	=2TfQ
	-----END PGP SIGNATURE-----