Bug 889008 (CVE-2012-5633) - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor
Summary: CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS e...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5633
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 873846 896337 896338 896347 901329 909247 909248 915386
Blocks: 889009 917476 917477
TreeView+ depends on / blocked
 
Reported: 2012-12-20 02:15 UTC by David Jorm
Modified: 2019-09-29 12:58 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-15 21:29:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0256 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 security update 2013-02-13 23:50:39 UTC
Red Hat Product Errata RHSA-2013:0257 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 security update 2013-02-14 00:01:01 UTC
Red Hat Product Errata RHSA-2013:0258 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 security update 2013-02-14 00:00:56 UTC
Red Hat Product Errata RHSA-2013:0259 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 security update 2013-02-14 00:00:47 UTC
Red Hat Product Errata RHSA-2013:0644 0 normal SHIPPED_LIVE Important: apache-cxf security update 2013-03-13 22:49:09 UTC
Red Hat Product Errata RHSA-2013:0645 0 normal SHIPPED_LIVE Important: apache-cxf security update 2013-03-13 22:49:02 UTC
Red Hat Product Errata RHSA-2013:0649 0 normal SHIPPED_LIVE Important: Fuse ESB Enterprise 7.1.0 update 2013-03-14 20:48:11 UTC
Red Hat Product Errata RHSA-2013:0726 0 normal SHIPPED_LIVE Important: JBoss Enterprise SOA Platform 5.3.1 update 2013-04-09 22:11:58 UTC
Red Hat Product Errata RHSA-2013:0743 0 normal SHIPPED_LIVE Important: JBoss Enterprise BRMS Platform 5.3.1 update 2013-04-15 21:51:34 UTC
Red Hat Product Errata RHSA-2013:0749 0 normal SHIPPED_LIVE Important: apache-cxf security update 2013-04-16 22:53:46 UTC

Description David Jorm 2012-12-20 02:15:54 UTC 
If web services are deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services will always be granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw is only exploitable if WSS4JInInterceptor is used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security are not affected.
Comment 1 David Jorm 2012-12-20 02:20:37 UTC 
Upstream bug for JBoss Web Services:

https://issues.jboss.org/browse/JBWS-3575

Upstream bug for Apache CXF:

https://issues.apache.org/jira/browse/CXF-4629

Upstream patch commit for 2.6.x:

http://svn.apache.org/viewvc?view=revision&revision=1420756
Comment 4 Jan Lieskovsky 2013-02-08 13:58:16 UTC 
Upstream advisory: http://cxf.apache.org/cve-2012-5633.html
Comment 6 Jan Lieskovsky 2013-02-08 14:06:02 UTC 
Created cxf tracking bugs for this issue

Affects: fedora-all [bug 909247]
Comment 7 errata-xmlrpc 2013-02-13 18:52:05 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0256 https://rhn.redhat.com/errata/RHSA-2013-0256.html
Comment 8 errata-xmlrpc 2013-02-13 19:02:44 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0259 https://rhn.redhat.com/errata/RHSA-2013-0259.html
Comment 9 errata-xmlrpc 2013-02-13 19:02:50 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0258 https://rhn.redhat.com/errata/RHSA-2013-0258.html
Comment 10 errata-xmlrpc 2013-02-13 19:03:26 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0257 https://rhn.redhat.com/errata/RHSA-2013-0257.html
Comment 11 errata-xmlrpc 2013-03-13 18:49:32 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0645 https://rhn.redhat.com/errata/RHSA-2013-0645.html
Comment 12 errata-xmlrpc 2013-03-13 18:49:57 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6 for RHEL 6

Via RHSA-2013:0644 https://rhn.redhat.com/errata/RHSA-2013-0644.html
Comment 13 errata-xmlrpc 2013-03-14 16:49:04 UTC 
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0 Patch 3

Via RHSA-2013:0649 https://rhn.redhat.com/errata/RHSA-2013-0649.html
Comment 14 errata-xmlrpc 2013-04-09 18:19:44 UTC 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.1

Via RHSA-2013:0726 https://rhn.redhat.com/errata/RHSA-2013-0726.html
Comment 15 errata-xmlrpc 2013-04-15 17:52:16 UTC 
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2013:0743 https://rhn.redhat.com/errata/RHSA-2013-0743.html
Comment 16 errata-xmlrpc 2013-04-16 18:54:06 UTC 
This issue has been addressed in following products:

  JBoss Portal Platform 6.0.0

Via RHSA-2013:0749 https://rhn.redhat.com/errata/RHSA-2013-0749.html
Note You need to log in before you can comment on or make changes to this bug.