Bug 1157304 (CVE-2014-3623)

Summary: CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bleanhar, ccoleman, cdewolf, chazlett, dandread, darran.lofthouse, dmcphers, fnasser, grocha, huwang, jawilson, jbpapp-maint, jcoleman, jialiu, jkeck, jokerman, kconner, lgao, lmeyer, mgoldman, mmccomas, myarboro, pgier, pslavice, rsvoboda, rzhang, soa-p-jira, tkirby, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wss4j 1.6.17, wss4j 2.0.2, cxf 2.7.13, cxf 3.0.2, wildfly 9.0.0.Beta1 Doc Type: Bug Fix
Doc Text:
It was found that Apache WSS4J (Web Services Security for Java), as used by Apache CXF with the TransportBinding, did not, by default, properly enforce all security requirements associated with SAML SubjectConfirmation methods. A remote attacker could use this flaw to perform various types of spoofing attacks on web service endpoints secured by WSS4J that rely on SAML for authentication.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:35:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1155324, 1157305, 1157306, 1157312, 1157313, 1157415, 1157781, 1157782, 1157783, 1157784, 1157785, 1157786, 1157787, 1157788, 1157789, 1157790, 1157791, 1157792, 1157935, 1157937, 1158224    
Bug Blocks: 1155883, 1157339, 1194004, 1200191, 1210482    

Description Arun Babu Neelicattu 2014-10-27 02:28:23 UTC 
Apache WSS4J as used by Apache CXF with the TransportBinding does not, by default, properly enforce all security requirements associcated with SAML SubjectConfirmation methods. Web service endpoints, secured by WSS4j, that rely on SAML for authentication are considered vulnerable to types of spoofing attacks.

Upstream Issues:

https://issues.apache.org/jira/browse/WSS-510
https://issues.apache.org/jira/browse/WSS-511
https://issues.apache.org/jira/browse/WSS-511

Upstream Commits:

http://svn.apache.org/viewvc?view=revision&revision=1624308
http://svn.apache.org/viewvc?view=revision&revision=1624287
http://svn.apache.org/viewvc?view=revision&revision=1624262

References:

http://cxf.apache.org/security-advisories.data/CVE-2014-3623.txt.asc
Comment 3 Arun Babu Neelicattu 2014-10-27 03:02:14 UTC 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3623.yaml
Comment 5 Arun Babu Neelicattu 2014-10-27 08:39:27 UTC 
Created wildfly tracking bugs for this issue:

Affects: fedora-all [bug 1157415]
Comment 9 Chess Hazlett 2014-10-28 02:46:19 UTC 
Statement:

Fuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Red Hat JBoss SOA Platform 5 and Red Hat JBoss BRMS 5 are now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 13 Fedora Update System 2014-11-01 17:15:39 UTC 
wss4j-1.6.17-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2014-11-07 02:33:23 UTC 
wss4j-1.6.17-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 errata-xmlrpc 2014-12-18 17:48:54 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.3.2

Via RHSA-2014:2020 https://rhn.redhat.com/errata/RHSA-2014-2020.html
Comment 16 errata-xmlrpc 2014-12-18 17:59:52 UTC 
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 6
  JBEAP 6.3.z for RHEL 5
  JBEAP 6.3.z for RHEL 7

Via RHSA-2014:2019 https://rhn.redhat.com/errata/RHSA-2014-2019.html
Comment 18 errata-xmlrpc 2015-02-18 21:31:57 UTC 
This issue has been addressed in the following products:

Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2015:0236 https://rhn.redhat.com/errata/RHSA-2015-0236.html
Comment 19 errata-xmlrpc 2015-03-11 16:55:13 UTC 
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
Comment 23 errata-xmlrpc 2015-04-16 16:07:24 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
Comment 24 errata-xmlrpc 2015-04-16 16:12:13 UTC 
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html