It was found that the Apache CXF UsernameTokenPolicyValidator and UsernameTokenInterceptor allow a UsernameToken element with no password child element to bypass authentication. A remote attacker could use this flaw to circumvent access controls applied to web services by omitting the password in a UsernameToken. If an incorrect password is provided, authentication will fail, but if the password is omitted, it will succeed. This flaw is exploitable on web services that rely on WS-SecurityPolicy plaintext UsernameTokens to authenticate users. It is not exploitable when using hashed passwords or WS-Security without WS-SecurityPolicy.
Upstream bug for Apache CXF: https://issues.apache.org/jira/browse/CXF-4776 Upstream trunk patch commit: http://svn.apache.org/viewvc?view=revision&revision=1438424
Upstream advisory: http://cxf.apache.org/cve-2013-0239.html
Created cxf tracking bugs for this issue Affects: fedora-all [bug 909247]
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.1 Via RHSA-2013:0645 https://rhn.redhat.com/errata/RHSA-2013-0645.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 JBEAP 6 for RHEL 6 Via RHSA-2013:0644 https://rhn.redhat.com/errata/RHSA-2013-0644.html
This issue has been addressed in following products: Fuse ESB Enterprise 7.1.0 Patch 3 Via RHSA-2013:0649 https://rhn.redhat.com/errata/RHSA-2013-0649.html
This issue has been addressed in following products: JBoss Portal Platform 6.0.0 Via RHSA-2013:0749 https://rhn.redhat.com/errata/RHSA-2013-0749.html