5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
65.5%
Apache CXF is an open source services framework.
It was found that the Apache CXF UsernameTokenPolicyValidator and
UsernameTokenInterceptor allowed a UsernameToken element with no password
child element to bypass authentication. A remote attacker could use this
flaw to circumvent access controls applied to web services by omitting the
password in a UsernameToken. This flaw was exploitable on web services that
rely on WS-SecurityPolicy plain text UsernameTokens to authenticate users.
It was not exploitable when using hashed passwords or WS-Security without
WS-SecurityPolicy. (CVE-2013-0239)
If web services were deployed using Apache CXF with the WSS4JInInterceptor
enabled to apply WS-Security processing, HTTP GET requests to these
services were always granted access, without applying authentication
checks. The URIMappingInterceptor is a legacy mechanism for allowing
REST-like access (via GET requests) to simple SOAP services. A remote
attacker could use this flaw to access the REST-like interface of a simple
SOAP service using GET requests that bypass the security constraints
applied by WSS4JInInterceptor. This flaw was only exploitable if
WSS4JInInterceptor was used to apply WS-Security processing. Services that
use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633)
Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation and deployed applications.
All users of JBoss Enterprise Application Platform 6.0.1 on Red Hat
Enterprise Linux 5 and 6 are advised to upgrade to this updated package.
The JBoss server process must be restarted for the update to take effect.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 5 | noarch | apache-cxf | <Â 2.4.9-6.redhat_3.ep6.el5 | apache-cxf-2.4.9-6.redhat_3.ep6.el5.noarch.rpm |
RedHat | 5 | src | apache-cxf | <Â 2.4.9-6.redhat_3.ep6.el5 | apache-cxf-2.4.9-6.redhat_3.ep6.el5.src.rpm |
RedHat | 6 | noarch | apache-cxf | <Â 2.4.9-6.redhat_3.ep6.el6 | apache-cxf-2.4.9-6.redhat_3.ep6.el6.noarch.rpm |
RedHat | 6 | src | apache-cxf | <Â 2.4.9-6.redhat_3.ep6.el6 | apache-cxf-2.4.9-6.redhat_3.ep6.el6.src.rpm |