| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| CVE-2017-3156: Apache CXF OAuth2 Hawk and JOSE MAC Validation code is vulnerable to the timing attacks |
| |
| Severity: Major |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache CXF prior to 3.0.13, 3.1.10. |
| |
| Description: |
| |
| Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature |
| comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect |
| OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMac secret key algorithms. |
| |
| |
| This has been fixed in revisions: |
| |
| CXF 3.1.x: |
| http://git-wip-us.apache.org/repos/asf/cxf/commit/555843f9 |
| |
| CXF 3.0.x |
| http://git-wip-us.apache.org/repos/asf/cxf/commit/1338469f |
| |
| CXF 3.2.0-SNAPSHOT (master): |
| http://git-wip-us.apache.org/repos/asf/cxf/commit/e66ce235 |
| |
| |
| Credit: |
| The issue was reported and the patch provided by Richard Kettelerij. |
| |
| Migration: |
| |
| CXF 3.0.x users should upgrade to 3.0.13 or later as soon as possible. |
| CXF 3.1.x users should upgrade to 3.1.10 or later as soon as possible. |
| |
| References: http://cxf.apache.org/security-advisories.html |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v1 |
| |
| iEYEARECAAYFAliq0rIACgkQmcduTd7eq5LohQCgkIiSd26xoIzt/+Pi0r8ri0HD |
| bbQAn3C5Y8DNes7QGRUP6Dv1hVRrmP2y |
| =0YqU |
| -----END PGP SIGNATURE----- |
