Bug 905722 (CVE-2013-0239) - CVE-2013-0239 jbossws-cxf, apache-cxf: UsernameTokenPolicyValidator and UsernameTokenInterceptor allow empty passwords to authenticate
Summary: CVE-2013-0239 jbossws-cxf, apache-cxf: UsernameTokenPolicyValidator and Usern...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0239
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 896347 901329 909247 909248 910936 910943
Blocks: 905724
TreeView+ depends on / blocked
 
Reported: 2013-01-30 02:37 UTC by David Jorm
Modified: 2019-09-29 12:59 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-16 19:14:46 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0644 0 normal SHIPPED_LIVE Important: apache-cxf security update 2013-03-13 22:49:09 UTC
Red Hat Product Errata RHSA-2013:0645 0 normal SHIPPED_LIVE Important: apache-cxf security update 2013-03-13 22:49:02 UTC
Red Hat Product Errata RHSA-2013:0649 0 normal SHIPPED_LIVE Important: Fuse ESB Enterprise 7.1.0 update 2013-03-14 20:48:11 UTC
Red Hat Product Errata RHSA-2013:0749 0 normal SHIPPED_LIVE Important: apache-cxf security update 2013-04-16 22:53:46 UTC

Description David Jorm 2013-01-30 02:37:22 UTC
It was found that the Apache CXF UsernameTokenPolicyValidator and UsernameTokenInterceptor allow a UsernameToken element with no password child element to bypass authentication. A remote attacker could use this flaw to circumvent access controls applied to web services by omitting the password in a UsernameToken. If an incorrect password is provided, authentication will fail, but if the password is omitted, it will succeed. This flaw is exploitable on web services that rely on WS-SecurityPolicy plaintext UsernameTokens to authenticate users. It is not exploitable when using hashed passwords or WS-Security without WS-SecurityPolicy.

Comment 1 David Jorm 2013-01-30 02:49:54 UTC
Upstream bug for Apache CXF:

https://issues.apache.org/jira/browse/CXF-4776

Upstream trunk patch commit:

http://svn.apache.org/viewvc?view=revision&revision=1438424

Comment 2 Jan Lieskovsky 2013-02-08 13:59:22 UTC
Upstream advisory: http://cxf.apache.org/cve-2013-0239.html

Comment 4 Jan Lieskovsky 2013-02-08 14:06:44 UTC
Created cxf tracking bugs for this issue

Affects: fedora-all [bug 909247]

Comment 9 errata-xmlrpc 2013-03-13 18:49:45 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0645 https://rhn.redhat.com/errata/RHSA-2013-0645.html

Comment 10 errata-xmlrpc 2013-03-13 18:50:03 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6 for RHEL 6

Via RHSA-2013:0644 https://rhn.redhat.com/errata/RHSA-2013-0644.html

Comment 11 errata-xmlrpc 2013-03-14 16:49:09 UTC
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0 Patch 3

Via RHSA-2013:0649 https://rhn.redhat.com/errata/RHSA-2013-0649.html

Comment 12 errata-xmlrpc 2013-04-16 18:54:14 UTC
This issue has been addressed in following products:

  JBoss Portal Platform 6.0.0

Via RHSA-2013:0749 https://rhn.redhat.com/errata/RHSA-2013-0749.html


Note You need to log in before you can comment on or make changes to this bug.