Bug 1157330 (CVE-2014-3584)

Summary: CVE-2014-3584 Apache CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bleanhar, ccoleman, cdewolf, chazlett, dandread, darran.lofthouse, dmcphers, fnasser, grocha, huwang, jawilson, jcoleman, jialiu, jokerman, lgao, lmeyer, mmccomas, myarboro, pslavice, rsvoboda, rzhang, soa-p-jira, tkirby, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cxf 2.6.11, cxf 2.7.8, cxf 3.0.0-milestone1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:47:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1157305, 1157331, 1157332, 1157935, 1157937, 1158224    
Bug Blocks: 1157339    

Description Arun Babu Neelicattu 2014-10-27 03:37:42 UTC 
It was discovered that Apache CXF JAX-RS services, via the SamlHeaderInHandler implementation, incorrectly handled invalid SAML tokens provided in authorization headers of requests. A remote attacker can trigger an infinite loop by providing specially crafted values in authorization headers leading to a Denial of Service attack.

Upstream Issues:

https://issues.apache.org/jira/browse/CXF-5390

Upstream Commits:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=0b3894f57388b9955f2c33b2295223f2835cd7b3

References:

http://cxf.apache.org/security-advisories.data/CVE-2014-3584.txt.asc
Comment 1 Arun Babu Neelicattu 2014-10-27 03:39:03 UTC 
Created cxf tracking bugs for this issue:

Affects: fedora-all [bug 1157305]
Comment 4 Arun Babu Neelicattu 2014-10-27 08:39:47 UTC 
Statement:

This issue did not affect Apache CXF as shipped with Red Hat JBoss Enterprise Application Platform 5 and 6; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 5; Red Hat JBoss Fuse Service Works 6; Red Hat JBoss BRMS 5 and 6; Red Hat JBoss BPM Suite 6; Red Hat JBoss Data Virtualization 6; Red Hat JBoss Operations Network 3 and Red Hat JBoss Portal Platform 6 as the REST Web Services endpoints are not available.

Fuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/
Comment 5 Arun Babu Neelicattu 2014-10-27 09:09:38 UTC 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3584.yaml