(RHSA-2013:0644) Important: apache-cxf security update

ID RHSA-2013:0644
Type redhat
Reporter RedHat
Modified 2018-06-07T02:39:05


Apache CXF is an open source services framework.

It was found that the Apache CXF UsernameTokenPolicyValidator and UsernameTokenInterceptor allowed a UsernameToken element with no password child element to bypass authentication. A remote attacker could use this flaw to circumvent access controls applied to web services by omitting the password in a UsernameToken. This flaw was exploitable on web services that rely on WS-SecurityPolicy plain text UsernameTokens to authenticate users. It was not exploitable when using hashed passwords or WS-Security without WS-SecurityPolicy. (CVE-2013-0239)

If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633)

Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications.

All users of JBoss Enterprise Application Platform 6.0.1 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect.