The SecurityTokenService (STS) provided as part of Apache CXF has bindings to issue, validate, renew and cancel tokens. The main use-case is to issue SAML tokens. However, a less common use-case is to use the STS to validate SAML tokens. The vulnerability is that there are certain circumstances in which the STS will accept an invalid SAML token as valid if caching is enabled. Affected versions: Apach CXF 2.6.x < 2.6.12 Apach CXF 2.7.x < 2.7.9 Note from apache advisory: Although this vulnerability has been fixed in CXF 2.6.12 and 2.7.9, due to other security advisories it is recommended to upgrade to the following releases: CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible. CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible. References: http://cxf.apache.org/security-advisories.data/CVE-2014-0034.txt.asc Upstream fix: http://svn.apache.org/viewvc?view=revision&revision=1551228
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.2.4 Via RHSA-2014:0797 https://rhn.redhat.com/errata/RHSA-2014-0797.html
This issue has been addressed in following products: JBEAP 6.2 for RHEL 5 Via RHSA-2014:0798 https://rhn.redhat.com/errata/RHSA-2014-0798.html
This issue has been addressed in following products: JBEAP 6.2 for RHEL 6 Via RHSA-2014:0799 https://rhn.redhat.com/errata/RHSA-2014-0799.html
IssueDescription: It was found that the SecurityTokenService (STS), provided as a part of Apache CXF, could under certain circumstances accept invalid SAML tokens as valid. A remote attacker could use a specially crafted SAML token to gain access to an application that uses STS for validation of SAML tokens.
This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.1.0 Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
jboss-connector-1.6-api-1.0.1-1.fc22, cxf-build-utils-2.6.0-1.fc22, opensaml-java-xmltooling-1.3.4-9.fc22, cxf-xjc-utils-2.6.2-1.fc22, cxf-2.7.11-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html