Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CVE-2017-3156

🗓️ 10 Aug 2017 18:00:00Reported by apacheType 
cve
 cve🔗 web.nvd.nist.gov👁 90 Views

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks

Related
Detection
Affected
Refs
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Mulitiple security vulnerabilities in Apache CXF affects IBM InfoSphere Master Data Management (CVE-2016-6812 CVE-2016-8739 CVE-2017-5653 CVE-2017-5656 CVE-2017-3156)
16 Jun 201814:18
ibm
IBM Security Bulletins		Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities
27 May 202008:29
ibm
IBM Security Bulletins		Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability
19 Jul 201916:20
ibm
IBM Security Bulletins		Security Bulletin: IBM Tivoli Network Manager IP Edition is affected by an Apache CXF vulnerability (CVE-2017-3156)
17 Jun 201815:45
ibm
CNVD		Apache CXF Timing Attack Information Disclosure Vulnerability
2 Mar 201700:00
cnvd
Cvelist		CVE-2017-3156
10 Aug 201718:00
cvelist
Fedora		[SECURITY] Fedora 25 Update: cxf-3.1.6-5.fc25
2 Mar 201701:22
fedora
Tenable Nessus		Fedora 25 : 1:cxf (2017-d62c8f91e4)
3 Mar 201700:00
nessus
Github Security Blog		Covert Timing Channel in Apache CXF
13 May 202201:09
github
NVD		CVE-2017-3156
10 Aug 201718:29
nvd
Rows per page
NVD
Vulners
Node
apachecxfRange3.0.12
OR
apachecxfMatch3.1.0
OR
apachecxfMatch3.1.1
OR
apachecxfMatch3.1.2
OR
apachecxfMatch3.1.3
OR
apachecxfMatch3.1.4
OR
apachecxfMatch3.1.5
OR
apachecxfMatch3.1.6
OR
apachecxfMatch3.1.7
OR
apachecxfMatch3.1.8
OR
apachecxfMatch3.1.9
[
  {
    "product": "Apache CXF",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "prior to 3.0.13"
      },
      {
        "status": "affected",
        "version": "3.1.x prior to 3.1.10"
      }
    ]
  }
]
SourceLink
listswww.lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
accesswww.access.redhat.com/errata/RHSA-2017:1832
cxfwww.cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc
listswww.lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
listswww.lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
securityfocuswww.securityfocus.com/bid/96398
listswww.lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
listswww.lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
listswww.lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 May 2026 00:24Current
7.3High risk
Vulners AI Score7.3
CVSS 25
CVSS 37.5
EPSS0.06521
cve20173156oauth2hawkjosemacvalidationapache cxfsecurity vulnerabilitytiming attack
90