Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1157330 - (CVE-2014-3584) CVE-2014-3584 Apache CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens
CVE-2014-3584 Apache CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20141025,repor...
: Security
Depends On: 1157305 1157331 1157332 1157935 1157937 1158224
Blocks: 1157339
  Show dependency treegraph
 
Reported: 2014-10-26 23:37 EDT by Arun Babu Neelicattu
Modified: 2018-06-29 18:02 EDT (History)
32 users (show)

See Also:
Fixed In Version: cxf 2.6.11, cxf 2.7.8, cxf 3.0.0-milestone1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Arun Babu Neelicattu 2014-10-26 23:37:42 EDT 
It was discovered that Apache CXF JAX-RS services, via the SamlHeaderInHandler implementation, incorrectly handled invalid SAML tokens provided in authorization headers of requests. A remote attacker can trigger an infinite loop by providing specially crafted values in authorization headers leading to a Denial of Service attack.

Upstream Issues:

https://issues.apache.org/jira/browse/CXF-5390

Upstream Commits:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=0b3894f57388b9955f2c33b2295223f2835cd7b3

References:

http://cxf.apache.org/security-advisories.data/CVE-2014-3584.txt.asc
Comment 1 Arun Babu Neelicattu 2014-10-26 23:39:03 EDT 
Created cxf tracking bugs for this issue:

Affects: fedora-all [bug 1157305]
Comment 4 Arun Babu Neelicattu 2014-10-27 04:39:47 EDT 
Statement:

This issue did not affect Apache CXF as shipped with Red Hat JBoss Enterprise Application Platform 5 and 6; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 5; Red Hat JBoss Fuse Service Works 6; Red Hat JBoss BRMS 5 and 6; Red Hat JBoss BPM Suite 6; Red Hat JBoss Data Virtualization 6; Red Hat JBoss Operations Network 3 and Red Hat JBoss Portal Platform 6 as the REST Web Services endpoints are not available.

Fuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/
Comment 5 Arun Babu Neelicattu 2014-10-27 05:09:38 EDT 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3584.yaml
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.