Bug 1157304 (CVE-2014-3623) - CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods
Summary: CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics enforcem...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3623
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20141025,repor...
Depends On: 1157787 1157788 1157789 1155324 1157305 1157306 1157312 1157313 1157415 1157781 1157782 1157783 1157784 1157785 1157786 1157790 1157791 1157792 1157935 1157937 1158224
Blocks: 1155883 1157339 1194004 1200191 1210482
TreeView+ depends on / blocked
 
Reported: 2014-10-27 02:28 UTC by Arun Babu Neelicattu
Modified: 2019-06-11 11:13 UTC (History)
31 users (show)

Fixed In Version: wss4j 1.6.17, wss4j 2.0.2, cxf 2.7.13, cxf 3.0.2, wildfly 9.0.0.Beta1
Doc Type: Bug Fix
Doc Text:
It was found that Apache WSS4J (Web Services Security for Java), as used by Apache CXF with the TransportBinding, did not, by default, properly enforce all security requirements associated with SAML SubjectConfirmation methods. A remote attacker could use this flaw to perform various types of spoofing attacks on web service endpoints secured by WSS4J that rely on SAML for authentication.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:35:30 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:2019 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.2 security update 2014-12-18 22:58:44 UTC
Red Hat Product Errata RHSA-2014:2020 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.2 security update 2014-12-18 22:48:10 UTC
Red Hat Product Errata RHSA-2015:0236 normal SHIPPED_LIVE Moderate: Red Hat JBoss Fuse/A-MQ 6.1.0 security and bug fix update 2015-02-19 02:31:32 UTC
Red Hat Product Errata RHSA-2015:0675 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.1.0 update 2015-03-11 20:51:21 UTC
Red Hat Product Errata RHSA-2015:0850 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.1.0 update 2015-04-16 20:02:45 UTC
Red Hat Product Errata RHSA-2015:0851 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.1.0 update 2015-04-16 20:02:37 UTC

Description Arun Babu Neelicattu 2014-10-27 02:28:23 UTC
Apache WSS4J as used by Apache CXF with the TransportBinding does not, by default, properly enforce all security requirements associcated with SAML SubjectConfirmation methods. Web service endpoints, secured by WSS4j, that rely on SAML for authentication are considered vulnerable to types of spoofing attacks.

Upstream Issues:

https://issues.apache.org/jira/browse/WSS-510
https://issues.apache.org/jira/browse/WSS-511
https://issues.apache.org/jira/browse/WSS-511

Upstream Commits:

http://svn.apache.org/viewvc?view=revision&revision=1624308
http://svn.apache.org/viewvc?view=revision&revision=1624287
http://svn.apache.org/viewvc?view=revision&revision=1624262

References:

http://cxf.apache.org/security-advisories.data/CVE-2014-3623.txt.asc

Comment 3 Arun Babu Neelicattu 2014-10-27 03:02:14 UTC
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3623.yaml

Comment 5 Arun Babu Neelicattu 2014-10-27 08:39:27 UTC
Created wildfly tracking bugs for this issue:

Affects: fedora-all [bug 1157415]

Comment 9 Chess Hazlett 2014-10-28 02:46:19 UTC
Statement:

Fuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Red Hat JBoss SOA Platform 5 and Red Hat JBoss BRMS 5 are now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/

Comment 13 Fedora Update System 2014-11-01 17:15:39 UTC
wss4j-1.6.17-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2014-11-07 02:33:23 UTC
wss4j-1.6.17-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 errata-xmlrpc 2014-12-18 17:48:54 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.3.2

Via RHSA-2014:2020 https://rhn.redhat.com/errata/RHSA-2014-2020.html

Comment 16 errata-xmlrpc 2014-12-18 17:59:52 UTC
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 6
  JBEAP 6.3.z for RHEL 5
  JBEAP 6.3.z for RHEL 7

Via RHSA-2014:2019 https://rhn.redhat.com/errata/RHSA-2014-2019.html

Comment 18 errata-xmlrpc 2015-02-18 21:31:57 UTC
This issue has been addressed in the following products:

Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2015:0236 https://rhn.redhat.com/errata/RHSA-2015-0236.html

Comment 19 errata-xmlrpc 2015-03-11 16:55:13 UTC
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html

Comment 23 errata-xmlrpc 2015-04-16 16:07:24 UTC
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html

Comment 24 errata-xmlrpc 2015-04-16 16:12:13 UTC
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html


Note You need to log in before you can comment on or make changes to this bug.