Twenty Year Anniversary

Apache CXF Failed Pickup Of Child Policies

Apache CXF Failed Pickup Of Child Policies
Posted Jun 8, 2012
Authored by Colm O hEigeartaigh | Site cxf.apache.org

Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side. Apache CXF versions 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.0 are affected.

tags | advisory
advisories | CVE-2012-2378
MD5 | 92050d8c8f388f16e0f1c4a6454e83ce

Apache CXF Failed Pickup Of Child Policies

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2012-2378: Apache CXF does not pick up some child policies of
WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

Apache CXF 2.4.5 to 2.4.7
Apache CXF 2.5.1 to 2.5.3
Apache CXF 2.6.0

Description:

None of the following child policies of a WS-SecurityPolicy 1.1
(.*)SupportingToken policy are picked up on the client side:

- AlgorithmSuite
- SignedParts
- SignedElements
- EncryptedParts
- EncryptedElements

Note that all of these policies are picked up on the client side in the most
common use-cases, for example when an AlgorithmSuite is specified under a
security binding, or when a SignedParts Element is specified per-operation
or
per-binding. They only do not apply when a SupportingToken is used to sign
or encrypt some part or element, for example:

<sp:EndorsingSupportingToken
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
...
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"
/>
</sp:SignedParts>
</sp:EndorsingSupportingToken>

Also note that this does not apply for the WS-SecurityPolicy 1.2 namespace,
but *only* for the older WS-SecurityPolicy 1.1 namespace of:

"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy".

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1337150

The versions that are affected are CXF 2.4.5 to 2.4.7, CXF 2.5.1 to 2.5.3,
and
CXF 2.6.0. The vulnerability does not exist in CXF 2.3.10, CXF 2.4.4 or
2.5.0.

Migration:

CXF 2.4.5 to 2.4.7 users should upgrade to 2.4.8 as soon as possible.
CXF 2.5.1 to 2.5.3 users should upgrade to 2.5.4 as soon as possible.
CXF 2.6.0 users should upgrade to 2.6.1 as soon as possible.

References: http://cxf.apache.org/security-advisories.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJP0HTJAAoJEGe/gLEK1TmDRsEIAIHNiUGAE9Ct+RAd2XT7yiLk
5fbN93dB87bFyl2byXBXxUu5vwyPAoT015CDSqqU16g3wNd4WM/WSCF0sNBCOAF9
qQ+cO0CNXG7xeE9/qfjsePxYDeWu729Et+KUBAmmsGvvY0xcP+zL1DmxP4wM45jT
2I6r85PLinYh4QeV3o0F6m3R2dFJQWLEpQwmQDl8C+zNObuRdZ6MlgKEPOPz10Ie
S9xQg7S3w8YPjk8FQGWX5hbRWteGLBftX2VD9rxz9gK2r9YN4eg6BL6S71LoAYNx
hM1CbT1Q+jFk8Biv7ZvL2l2X59wdk+J+xdYCJomxCEUUFMFEM0dkFBad8BU0nOk=
=YSM6
-----END PGP SIGNATURE-----


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    16 Files
  • 17
    Aug 17th
    22 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close