UsernameTokens are sent in plaintext, i.e. not encrypted, by a CXF client that uses a SymmetricBinding with EncryptBeforeSigning enabled, and a UsernameToken policy that is a *EncryptedSupportingToken. No other binding is affected, and SignBeforeEncrypting is not affected either. Affected versions: Apach CXF 2.6.x < 2.6.13 Apach CXF 2.7.x < 2.7.10 NOTE from apache advisory: Although this vulnerability has been fixed in CXF 2.6.13 and 2.7.10, due to other security advisories it is recommended to upgrade to the following releases: CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible. CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible. References: http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.asc Upstream fix: http://svn.apache.org/viewvc?view=revision&revision=1564724
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1095534]
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.2.4 Via RHSA-2014:0797 https://rhn.redhat.com/errata/RHSA-2014-0797.html
This issue has been addressed in following products: JBEAP 6.2 for RHEL 5 Via RHSA-2014:0798 https://rhn.redhat.com/errata/RHSA-2014-0798.html
This issue has been addressed in following products: JBEAP 6.2 for RHEL 6 Via RHSA-2014:0799 https://rhn.redhat.com/errata/RHSA-2014-0799.html
IssueDescription: It was discovered that UsernameTokens were sent in plain text by an Apache CXF client that used a Symmetric EncryptBeforeSigning password policy. A man-in-the-middle attacker could use this flaw to obtain the user name and password used by the client application using Apache CXF.
This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.1.0 Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html