content/security-advisories.data/CVE-2017-5653.txt.asc - cxf-site - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256

 CVE-2017-5653: Apache CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted.

 Severity: Moderate

 Vendor: The Apache Software Foundation

 Versions Affected:

 This vulnerability affects all versions of Apache CXF prior to 3.1.11 and
 3.0.13.

 Description:

 Apache CXF supports the ability to use XML Signature and encryption to secure
 JAX-RS services. Two different implementations are available, a DOM based
 approach that works on a model of the message in memory before applying
 security, and a streaming based implementation that is a useful alternative
 for larger messages.

 There is a bug in validating messages for JAX-RS clients using the streaming
 approach, where it will not enforce that the message is signed and/or
 encrypted. An exception is thrown in these cases but not properly propagated
 to the client code. The bug does not apply for the DOM clients and it does not
 apply for the streaming server side case.

 This has been fixed in revision:

 https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165

 Migration:

 Apache CXF users should upgrade to 3.1.11 or 3.0.13 or later as soon as
 possible. In addition, instead of adding the JAX-RS XmlSecInInterceptor to the
 CXF in-interceptor chain for the client, it is necessary to add it as a
 JAX-RS provider instead.

 -----BEGIN PGP SIGNATURE-----

 iQEcBAEBCAAGBQJY8OBOAAoJEGe/gLEK1TmDMa0H/Rugu02xhfi2Iih0INf0j3F3
 kWWCOEzyrbecdYDeJDsI6UB0djIugDlOyrN0KizD20dz9MMWLsmveao7i9D90pCH
 GbNbAb8r1DkpMdH31G2bqueQ2dM6vpYfuvNwVRlLGajGro59YrWzD2D17CVGDtvY
 ceKqYn1530Md9y2x1DY+vE4HaBsDtL+CmGK459AP09h4eflYvjfa5Y7v1tsZDosR
 N9JjaN0XVNnAyOz8QVqCC1dugIqsGMelfEc+WKKxAn+tkC5PZrjoRtOgkHwVfr1v
 FSLfbI8JajjNcxUz/d5y9jY/OIEWbeRukmHv9nLT+2RQFZfxtY+Kpp8vr/SuLwQ=
 =/38f
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA256

	CVE-2017-5653: Apache CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted.

	Severity: Moderate

	Vendor: The Apache Software Foundation

	Versions Affected:

	This vulnerability affects all versions of Apache CXF prior to 3.1.11 and
	3.0.13.

	Description:

	Apache CXF supports the ability to use XML Signature and encryption to secure
	JAX-RS services. Two different implementations are available, a DOM based
	approach that works on a model of the message in memory before applying
	security, and a streaming based implementation that is a useful alternative
	for larger messages.

	There is a bug in validating messages for JAX-RS clients using the streaming
	approach, where it will not enforce that the message is signed and/or
	encrypted. An exception is thrown in these cases but not properly propagated
	to the client code. The bug does not apply for the DOM clients and it does not
	apply for the streaming server side case.

	This has been fixed in revision:

	https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165

	Migration:

	Apache CXF users should upgrade to 3.1.11 or 3.0.13 or later as soon as
	possible. In addition, instead of adding the JAX-RS XmlSecInInterceptor to the
	CXF in-interceptor chain for the client, it is necessary to add it as a
	JAX-RS provider instead.

	-----BEGIN PGP SIGNATURE-----

	iQEcBAEBCAAGBQJY8OBOAAoJEGe/gLEK1TmDMa0H/Rugu02xhfi2Iih0INf0j3F3
	kWWCOEzyrbecdYDeJDsI6UB0djIugDlOyrN0KizD20dz9MMWLsmveao7i9D90pCH
	GbNbAb8r1DkpMdH31G2bqueQ2dM6vpYfuvNwVRlLGajGro59YrWzD2D17CVGDtvY
	ceKqYn1530Md9y2x1DY+vE4HaBsDtL+CmGK459AP09h4eflYvjfa5Y7v1tsZDosR
	N9JjaN0XVNnAyOz8QVqCC1dugIqsGMelfEc+WKKxAn+tkC5PZrjoRtOgkHwVfr1v
	FSLfbI8JajjNcxUz/d5y9jY/OIEWbeRukmHv9nLT+2RQFZfxtY+Kpp8vr/SuLwQ=
	=/38f
	-----END PGP SIGNATURE-----