Bug 1093530 (CVE-2014-0035) - CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy
Summary: CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0035
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1095534 1095535 1095536 1095537 1095538 1095539 1095540 1095541 1166937 1166938 1166939 1167713
Blocks: 1059445 1082938 1093533 1108493 1210482
TreeView+ depends on / blocked
 
Reported: 2014-05-02 01:43 UTC by Arun Babu Neelicattu
Modified: 2019-09-29 13:16 UTC (History)
52 users (show)

Fixed In Version: cxf 2.6.14, cxf 2.7.11
Doc Type: Bug Fix
Doc Text:
It was discovered that UsernameTokens were sent in plain text by an Apache CXF client that used a Symmetric EncryptBeforeSigning password policy. A man-in-the-middle attacker could use this flaw to obtain the user name and password used by the client application using Apache CXF.
Clone Of:
Environment:
Last Closed: 2016-07-08 22:35:01 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0797 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update 2014-06-26 19:00:47 UTC
Red Hat Product Errata RHSA-2014:0798 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update 2014-06-26 19:16:02 UTC
Red Hat Product Errata RHSA-2014:0799 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update 2014-06-26 19:11:00 UTC
Red Hat Product Errata RHSA-2014:1351 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update 2014-10-01 22:10:39 UTC
Red Hat Product Errata RHSA-2015:0850 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.1.0 update 2015-04-16 20:02:45 UTC
Red Hat Product Errata RHSA-2015:0851 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.1.0 update 2015-04-16 20:02:37 UTC
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Description Arun Babu Neelicattu 2014-05-02 01:43:37 UTC 
UsernameTokens are sent in plaintext, i.e. not encrypted, by a CXF client that
uses a SymmetricBinding with EncryptBeforeSigning enabled, and a UsernameToken
policy that is a *EncryptedSupportingToken. No other binding is affected, and
SignBeforeEncrypting is not affected either.

Affected versions:
Apach CXF 2.6.x < 2.6.13
Apach CXF 2.7.x < 2.7.10

NOTE from apache advisory:
Although this vulnerability has been fixed in CXF 2.6.13 and 2.7.10, due to 
other security advisories it is recommended to upgrade to the following
releases:
CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.


References:
http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.asc

Upstream fix:
http://svn.apache.org/viewvc?view=revision&revision=1564724
Comment 2 Chess Hazlett 2014-05-08 01:52:42 UTC 
Created cxf tracking bugs for this issue:

Affects: fedora-all [bug 1095534]
Comment 4 errata-xmlrpc 2014-06-26 15:01:23 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.4

Via RHSA-2014:0797 https://rhn.redhat.com/errata/RHSA-2014-0797.html
Comment 5 errata-xmlrpc 2014-06-26 15:18:19 UTC 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0798 https://rhn.redhat.com/errata/RHSA-2014-0798.html
Comment 6 errata-xmlrpc 2014-06-26 16:18:13 UTC 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0799 https://rhn.redhat.com/errata/RHSA-2014-0799.html
Comment 7 Martin Prpič 2014-09-29 11:56:32 UTC 
IssueDescription:

It was discovered that UsernameTokens were sent in plain text by an Apache CXF client that used a Symmetric EncryptBeforeSigning password policy. A man-in-the-middle attacker could use this flaw to obtain the user name and password used by the client application using Apache CXF.
Comment 8 errata-xmlrpc 2014-10-01 18:11:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
Comment 11 errata-xmlrpc 2015-04-16 16:04:35 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
Comment 12 errata-xmlrpc 2015-04-16 16:09:07 UTC 
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
Comment 13 errata-xmlrpc 2015-05-14 15:18:08 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Note You need to log in before you can comment on or make changes to this bug.