Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMac secret key algorithms. This vulnerability affects all versions of Apache CXF prior to 3.0.13, 3.1.10. Upstream patches: CXF 3.1.x: http://git-wip-us.apache.org/repos/asf/cxf/commit/555843f9 CXF 3.0.x http://git-wip-us.apache.org/repos/asf/cxf/commit/1338469f CXF 3.2.0-SNAPSHOT (master): http://git-wip-us.apache.org/repos/asf/cxf/commit/e66ce235 External References: https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1425458]
Thanks Adam , I have two questions 1- If I use vulnerable CXF version like 3.0.12 but I don't use OAuth2 Hawk and JOSE , should I still be vulnerable ? 2- Is this finding affects only Linux systems ?
Hi Hamed, Sorry for the delay getting back to you on this, to answer your questions: 1) No you are not vulnerable, basically there multiple access token types which can be used in cxf oauth2 and MAC and HAWK are among those token types so if you do not use them then you are not vulnerable. 2) Not necessarily linux systems, cxf oauth2 lib is affected and any application that utilizes this lib and uses the HAWK and MAC token types could potentially be impacted. Hope this helps.
Thanks for your response
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Grid 6 * Red Hat Enterprise Application Platform 5 * Red Hat Enterprise Application Platform 6 * Red Hat JBoss Operations Network 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Whilst Red Hat Enterprise Application Platform 7 and Red Hat SSO both include components of cxf the oauth2 components are not included.