A vulnerability in Apache CXF module adding support for SAML SSO to a JAX-RS endpoint was found. It is possible to construct a SAML Response by means of a wrapping attack, that allows a malicious user to log in instead of the principal extracted from the signed SAML assertion. Affects versions prior to 3.1.3, 3.0.7 and 2.7.18. Upstream patch: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=845eccb6484b43ba02875c71e824db23ae4f20c0 External reference: http://cxf.apache.org/security-advisories.data/CVE-2015-5253.txt.asc?version=1&modificationDate=1447433340000&api=v2
CXF JAX-RS, where this vulnerability lies, is not supported in JBoss EAP. See this article as a reference: https://access.redhat.com/solutions/97523
This issue will be addressed in Fuse 6.3
We're also backporting the fix to Fuse 6.2.1 in Rollup 1. https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.2.1
This issue has been addressed in the following products: JBoss Fuse 6.2.1 Via RHSA-2016:0321 https://rhn.redhat.com/errata/RHSA-2016-0321.html