Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1093530 - (CVE-2014-0035) CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy
CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetr...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140501,reported=2...
: Security
Depends On: 1095534 1095535 1095536 1095537 1095538 1095539 1095540 1095541 1166937 1166938 1166939 1167713
Blocks: 1059445 1082938 1093533 1108493 1210482
  Show dependency treegraph
 
Reported: 2014-05-01 21:43 EDT by Arun Babu Neelicattu
Modified: 2016-07-08 18:35 EDT (History)
52 users (show)

See Also:
Fixed In Version: cxf 2.6.14, cxf 2.7.11
Doc Type: Bug Fix
Doc Text:
It was discovered that UsernameTokens were sent in plain text by an Apache CXF client that used a Symmetric EncryptBeforeSigning password policy. A man-in-the-middle attacker could use this flaw to obtain the user name and password used by the client application using Apache CXF.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-08 18:35:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0797 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update 2014-06-26 15:00:47 EDT
Red Hat Product Errata RHSA-2014:0798 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update 2014-06-26 15:16:02 EDT
Red Hat Product Errata RHSA-2014:0799 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update 2014-06-26 15:11:00 EDT
Red Hat Product Errata RHSA-2014:1351 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update 2014-10-01 18:10:39 EDT
Red Hat Product Errata RHSA-2015:0850 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.1.0 update 2015-04-16 16:02:45 EDT
Red Hat Product Errata RHSA-2015:0851 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.1.0 update 2015-04-16 16:02:37 EDT
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 15:14:47 EDT

  None (edit)
Description Arun Babu Neelicattu 2014-05-01 21:43:37 EDT 
UsernameTokens are sent in plaintext, i.e. not encrypted, by a CXF client that
uses a SymmetricBinding with EncryptBeforeSigning enabled, and a UsernameToken
policy that is a *EncryptedSupportingToken. No other binding is affected, and
SignBeforeEncrypting is not affected either.

Affected versions:
Apach CXF 2.6.x < 2.6.13
Apach CXF 2.7.x < 2.7.10

NOTE from apache advisory:
Although this vulnerability has been fixed in CXF 2.6.13 and 2.7.10, due to 
other security advisories it is recommended to upgrade to the following
releases:
CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.


References:
http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.asc

Upstream fix:
http://svn.apache.org/viewvc?view=revision&revision=1564724
Comment 2 Chess Hazlett 2014-05-07 21:52:42 EDT 
Created cxf tracking bugs for this issue:

Affects: fedora-all [bug 1095534]
Comment 4 errata-xmlrpc 2014-06-26 11:01:23 EDT 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.4

Via RHSA-2014:0797 https://rhn.redhat.com/errata/RHSA-2014-0797.html
Comment 5 errata-xmlrpc 2014-06-26 11:18:19 EDT 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0798 https://rhn.redhat.com/errata/RHSA-2014-0798.html
Comment 6 errata-xmlrpc 2014-06-26 12:18:13 EDT 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0799 https://rhn.redhat.com/errata/RHSA-2014-0799.html
Comment 7 Martin Prpič 2014-09-29 07:56:32 EDT 
IssueDescription:

It was discovered that UsernameTokens were sent in plain text by an Apache CXF client that used a Symmetric EncryptBeforeSigning password policy. A man-in-the-middle attacker could use this flaw to obtain the user name and password used by the client application using Apache CXF.
Comment 8 errata-xmlrpc 2014-10-01 14:11:13 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
Comment 11 errata-xmlrpc 2015-04-16 12:04:35 EDT 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
Comment 12 errata-xmlrpc 2015-04-16 12:09:07 EDT 
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
Comment 13 errata-xmlrpc 2015-05-14 11:18:08 EDT 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.