Apache CXF supports the ability to use XML Signature and encryption to secure JAX-RS services. Two different implementations are available, a DOM based approach that works on a model of the message in memory before applying security, and a streaming based implementation that is a useful alternative for larger messages. There is a bug in validating messages for JAX-RS clients using the streaming approach, where it will not enforce that the message is signed and/or encrypted. An exception is thrown in these cases but not properly propagated to the client code. The bug does not apply for the DOM clients and it does not apply for the streaming server side case. External References: http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc Upstream patch: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1445335]
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832