Bug 905722 (CVE-2013-0239)

Summary: CVE-2013-0239 jbossws-cxf, apache-cxf: UsernameTokenPolicyValidator and UsernameTokenInterceptor allow empty passwords to authenticate
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aneelica, jlieskov, mgoldman, mjc, security-response-team, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-16 19:14:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 896347, 901329, 909247, 909248, 910936, 910943    
Bug Blocks: 905724    

Description David Jorm 2013-01-30 02:37:22 UTC 
It was found that the Apache CXF UsernameTokenPolicyValidator and UsernameTokenInterceptor allow a UsernameToken element with no password child element to bypass authentication. A remote attacker could use this flaw to circumvent access controls applied to web services by omitting the password in a UsernameToken. If an incorrect password is provided, authentication will fail, but if the password is omitted, it will succeed. This flaw is exploitable on web services that rely on WS-SecurityPolicy plaintext UsernameTokens to authenticate users. It is not exploitable when using hashed passwords or WS-Security without WS-SecurityPolicy.
Comment 1 David Jorm 2013-01-30 02:49:54 UTC 
Upstream bug for Apache CXF:

https://issues.apache.org/jira/browse/CXF-4776

Upstream trunk patch commit:

http://svn.apache.org/viewvc?view=revision&revision=1438424
Comment 2 Jan Lieskovsky 2013-02-08 13:59:22 UTC 
Upstream advisory: http://cxf.apache.org/cve-2013-0239.html
Comment 4 Jan Lieskovsky 2013-02-08 14:06:44 UTC 
Created cxf tracking bugs for this issue

Affects: fedora-all [bug 909247]
Comment 9 errata-xmlrpc 2013-03-13 18:49:45 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0645 https://rhn.redhat.com/errata/RHSA-2013-0645.html
Comment 10 errata-xmlrpc 2013-03-13 18:50:03 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6 for RHEL 6

Via RHSA-2013:0644 https://rhn.redhat.com/errata/RHSA-2013-0644.html
Comment 11 errata-xmlrpc 2013-03-14 16:49:09 UTC 
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0 Patch 3

Via RHSA-2013:0649 https://rhn.redhat.com/errata/RHSA-2013-0649.html
Comment 12 errata-xmlrpc 2013-04-16 18:54:14 UTC 
This issue has been addressed in following products:

  JBoss Portal Platform 6.0.0

Via RHSA-2013:0749 https://rhn.redhat.com/errata/RHSA-2013-0749.html