| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA256 |
| |
| CVE-2017-7662: The Apache CXF Fediz OIDC Client Registration Service is vulnerable to CSRF attacks |
| |
| Severity: Major |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache CXF Fediz prior to 1.4.0 |
| and 1.3.2. |
| |
| Description: |
| |
| Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a |
| Client Registration Service, which is a simple web application that allows |
| clients to be created, deleted, etc. |
| |
| A CSRF (Cross Style Request Forgery) style vulnerability has been found in |
| this web application, meaning that a malicious web application could create |
| new clients, or reset secrets, etc, after the admin user has logged on to |
| the client registration service and the session is still active. |
| |
| This has been fixed in revision: |
| |
| https://github.com/apache/cxf-fediz/commit/c68e4820816c19241568f4a8fe8600bffb0243cd |
| |
| Migration: |
| |
| Apache CXF Fediz users should upgrade to 1.4.0 or 1.3.2 as soon as possible if |
| they are using the OIDC service. |
| |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQEcBAEBCAAGBQJZGxuZAAoJEGe/gLEK1TmD5MMIALGewMKkFQ9XM/Um1pmKx8Mk |
| i9+HdFAcYjKrAJn4NK51i3Lwvc/2N0O/WoUS4TvqHK+bVue5MlPStqjwxq/2/qEd |
| y7SM2Fq7FYbPQ97spj7X67Hx7K2CWt4EFqj91tx9Tds4HJkzEmptAa3kDLa2RUw2 |
| tu1VCYtl4OXaWst6E6T/FlcGrpL5BahJNwMIfArK2kgNzBMLyFpOjeIbKKThZMWS |
| j/k7ziCQOpwGlRQmAIhQJJOwBh9B69LiStG8X6P5H4EqqMo5GjaMKAwQhxnhNCzb |
| 7mGICtILzUa1B7gBQpF3WJFiOEG7FkLL1fkbPe/Rqw9UHxfGbHXQ7Iof6hQbJBU= |
| =Cz7P |
| -----END PGP SIGNATURE----- |