Apache WSS4J as used by Apache CXF with the TransportBinding does not, by default, properly enforce all security requirements associcated with SAML SubjectConfirmation methods. Web service endpoints, secured by WSS4j, that rely on SAML for authentication are considered vulnerable to types of spoofing attacks. Upstream Issues: https://issues.apache.org/jira/browse/WSS-510 https://issues.apache.org/jira/browse/WSS-511 https://issues.apache.org/jira/browse/WSS-511 Upstream Commits: http://svn.apache.org/viewvc?view=revision&revision=1624308 http://svn.apache.org/viewvc?view=revision&revision=1624287 http://svn.apache.org/viewvc?view=revision&revision=1624262 References: http://cxf.apache.org/security-advisories.data/CVE-2014-3623.txt.asc
Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3623.yaml
Created wildfly tracking bugs for this issue: Affects: fedora-all [bug 1157415]
Statement: Fuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/ Red Hat JBoss SOA Platform 5 and Red Hat JBoss BRMS 5 are now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/
wss4j-1.6.17-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
wss4j-1.6.17-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.2 Via RHSA-2014:2020 https://rhn.redhat.com/errata/RHSA-2014-2020.html
This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 6 JBEAP 6.3.z for RHEL 5 JBEAP 6.3.z for RHEL 7 Via RHSA-2014:2019 https://rhn.redhat.com/errata/RHSA-2014-2019.html
This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.1.0 Via RHSA-2015:0236 https://rhn.redhat.com/errata/RHSA-2015-0236.html
This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html