| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA256 |
| |
| CVE-2017-5653: Apache CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted. |
| |
| Severity: Moderate |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache CXF prior to 3.1.11 and |
| 3.0.13. |
| |
| Description: |
| |
| Apache CXF supports the ability to use XML Signature and encryption to secure |
| JAX-RS services. Two different implementations are available, a DOM based |
| approach that works on a model of the message in memory before applying |
| security, and a streaming based implementation that is a useful alternative |
| for larger messages. |
| |
| There is a bug in validating messages for JAX-RS clients using the streaming |
| approach, where it will not enforce that the message is signed and/or |
| encrypted. An exception is thrown in these cases but not properly propagated |
| to the client code. The bug does not apply for the DOM clients and it does not |
| apply for the streaming server side case. |
| |
| This has been fixed in revision: |
| |
| https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165 |
| |
| Migration: |
| |
| Apache CXF users should upgrade to 3.1.11 or 3.0.13 or later as soon as |
| possible. In addition, instead of adding the JAX-RS XmlSecInInterceptor to the |
| CXF in-interceptor chain for the client, it is necessary to add it as a |
| JAX-RS provider instead. |
| |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQEcBAEBCAAGBQJY8OBOAAoJEGe/gLEK1TmDMa0H/Rugu02xhfi2Iih0INf0j3F3 |
| kWWCOEzyrbecdYDeJDsI6UB0djIugDlOyrN0KizD20dz9MMWLsmveao7i9D90pCH |
| GbNbAb8r1DkpMdH31G2bqueQ2dM6vpYfuvNwVRlLGajGro59YrWzD2D17CVGDtvY |
| ceKqYn1530Md9y2x1DY+vE4HaBsDtL+CmGK459AP09h4eflYvjfa5Y7v1tsZDosR |
| N9JjaN0XVNnAyOz8QVqCC1dugIqsGMelfEc+WKKxAn+tkC5PZrjoRtOgkHwVfr1v |
| FSLfbI8JajjNcxUz/d5y9jY/OIEWbeRukmHv9nLT+2RQFZfxtY+Kpp8vr/SuLwQ= |
| =/38f |
| -----END PGP SIGNATURE----- |