An Apache CXF endpoint can be used as an intermediary, where a token credential from the received message is used as a delegation token to obtain a new token from a Security Token Service (STS) for the outbound request. By default, the token retrieved from the STS is cached and associated with the delegation token via an identifier extracted from the delegation token. However, there is a weakness in how the identifier is extracted from the delegation token, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. External References: http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc Upstream patch: https://github.com/apache/cxf/commit/66c2c5b99e01a2165a2c5ed9ae34b4b9a512cb39
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1445335]
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832
cxf-rt-ws-security-3.1.12.redhat-1 in EAP 7.1.0 is not affected.
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2018:1694 https://access.redhat.com/errata/RHSA-2018:1694