Bug 1093529 (CVE-2014-0034) - CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid
Summary: CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid SA...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0034
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1095492 1095527 1095528 1095529 1095530 1095531 1095532 1095533 1166940 1166941 1166942 1167713
Blocks: 1059445 1082938 1093532 1108493 1210482
TreeView+ depends on / blocked
 
Reported: 2014-05-02 01:42 UTC by Arun Babu Neelicattu
Modified: 2019-09-29 13:16 UTC (History)
52 users (show)

Fixed In Version: cxf 2.6.14, cxf 2.7.11
Doc Type: Bug Fix
Doc Text:
It was found that the SecurityTokenService (STS), provided as a part of Apache CXF, could under certain circumstances accept invalid SAML tokens as valid. A remote attacker could use a specially crafted SAML token to gain access to an application that uses STS for validation of SAML tokens.
Clone Of:
Environment:
Last Closed: 2016-07-12 23:18:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0797 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update 2014-06-26 19:00:47 UTC
Red Hat Product Errata RHSA-2014:0798 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update 2014-06-26 19:16:02 UTC
Red Hat Product Errata RHSA-2014:0799 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update 2014-06-26 19:11:00 UTC
Red Hat Product Errata RHSA-2014:1351 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update 2014-10-01 22:10:39 UTC
Red Hat Product Errata RHSA-2015:0850 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.1.0 update 2015-04-16 20:02:45 UTC
Red Hat Product Errata RHSA-2015:0851 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.1.0 update 2015-04-16 20:02:37 UTC
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Description Arun Babu Neelicattu 2014-05-02 01:42:22 UTC 
The SecurityTokenService (STS) provided as part of Apache CXF has bindings to
issue, validate, renew and cancel tokens. The main use-case is to issue SAML
tokens. However, a less common use-case is to use the STS to validate SAML
tokens. The vulnerability is that there are certain circumstances in which the
STS will accept an invalid SAML token as valid if caching is enabled.

Affected versions:
Apach CXF 2.6.x < 2.6.12
Apach CXF 2.7.x < 2.7.9

Note from apache advisory:
Although this vulnerability has been fixed in CXF 2.6.12 and 2.7.9, due to 
other security advisories it is recommended to upgrade to the following
releases:
CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.

References:
http://cxf.apache.org/security-advisories.data/CVE-2014-0034.txt.asc

Upstream fix:
http://svn.apache.org/viewvc?view=revision&revision=1551228
Comment 4 errata-xmlrpc 2014-06-26 15:01:18 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.4

Via RHSA-2014:0797 https://rhn.redhat.com/errata/RHSA-2014-0797.html
Comment 5 errata-xmlrpc 2014-06-26 15:18:14 UTC 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0798 https://rhn.redhat.com/errata/RHSA-2014-0798.html
Comment 6 errata-xmlrpc 2014-06-26 16:18:08 UTC 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0799 https://rhn.redhat.com/errata/RHSA-2014-0799.html
Comment 7 Martin Prpič 2014-09-29 11:54:55 UTC 
IssueDescription:

It was found that the SecurityTokenService (STS), provided as a part of Apache CXF, could under certain circumstances accept invalid SAML tokens as valid. A remote attacker could use a specially crafted SAML token to gain access to an application that uses STS for validation of SAML tokens.
Comment 8 errata-xmlrpc 2014-10-01 18:11:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
Comment 11 errata-xmlrpc 2015-04-16 16:04:27 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
Comment 12 errata-xmlrpc 2015-04-16 16:09:02 UTC 
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
Comment 13 Fedora Update System 2015-04-21 18:56:30 UTC 
jboss-connector-1.6-api-1.0.1-1.fc22, cxf-build-utils-2.6.0-1.fc22, opensaml-java-xmltooling-1.3.4-9.fc22, cxf-xjc-utils-2.6.2-1.fc22, cxf-2.7.11-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2015-05-14 15:18:02 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Note You need to log in before you can comment on or make changes to this bug.