This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • CVE-2012-5633

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

-

...

-

...

--

...

BEGIN

...

PGP

...

SIGNED

...

MESSAGE----

...


Hash:

...

SHA1

...

CVE-2012-5633:

...

WSS4JInInterceptor

...

always

...

allows

...

HTTP

...

Get

...

requests

...

from

...

browser

...

Severity:

...

Critical

...

Vendor:

...

The

...

Apache

...

Software

...

Foundation

...

Versions

...

Affected:

...

This

...

vulnerability

...

affects

...

all

...

versions

...

of

...

Apache

...

CXF

...

prior

...

to

...

2.5.8,

...

2.6.5

...


and

...

2.7.2.

...

CXF

...

2.7.1

...

is

...

not

...

affected

...

by

...

default,

...

however

...

the

...

vulnerability

...


exists

...

if

...

you

...

are

...

explicitly

...

adding

...

the

...

URIMappingInterceptor

...

to

...

the

...

default

...


chain.

...

Description:

...

The

...

URIMappingInterceptor

...

in

...

CXF

...

is

...

a

...

legacy

...

interceptor

...

that

...

allows

...

some

...

basic

...


"rest

...

style"

...

access

...

to

...

a

...

simple

...

SOAP

...

service.

...

The

...

functionality

...

provided

...

by

...


this

...

interceptor

...

has

...

since

...

been

...

replaced

...

by

...

the

...

JAX-RS

...

standard.

...

An

...

example

...

of

...

how

...

this

...

interceptor

...

works

...

is

...

as

...

follows.

...

A

...

simple

...

"double

...

it"

...


webservice

...

is

...

defined

...

as:

...

@WebService(name

...

=

...

"DoubleItPortType")

...


public

...

interface

...

DoubleItPortType

...

{

...


@WebMethod(operationName

...

=

...

"DoubleIt")

...


public

...

int

...

doubleIt(

...


@WebParam(name

...

=

...

"numberToDouble")

...

int

...

numberToDouble

...


);

...


}

...

The

...

URIMappingInterceptor

...

can

...

allow

...

a

...

REST

...

client

...

access

...

the

...

service

...

via

...

a

...

GET

...


request

...

to

...

a

...

URL

...

like:

...

http://localhost:8080/DoubleItPort/DoubleIt&numberToDouble=20

...

The

...

vulnerability

...

is

...

when

...

a

...

simple

...

SOAP

...

service

...

is

...

secured

...

with

...

the

...


WSS4JInInterceptor,

...

which

...

enables

...

WS-Security

...

processing

...

of

...

the

...

request.

...


WS-Security

...

processing

...

is

...

completely

...

by-passed

...

in

...

the

...

case

...

of

...

a

...

HTTP

...

GET

...


request,

...

and

...

so

...

access

...

to

...

the

...

service

...

can

...

be

...

enabled

...

by

...

the

...


URIMappingInterceptor.

...

This

...

is

...

a

...

critical

...

vulnerability

...

if

...

you

...

are

...

using

...

a

...

WS-Security

...

UsernameToken

...


or

...

a

...

SOAP

...

message

...

signature

...

via

...

the

...

WSS4JInInterceptor

...

to

...

authenticate

...

users

...


for

...

a

...

simple

...

SOAP

...

service.

...

Please

...

note

...

that

...

this

...

advisory

...

does

...

not

...

apply

...

if

...


you

...

are

...

using

...

WS-SecurityPolicy

...

to

...

secure

...

the

...

service,

...

as

...

the

...

relevant

...

policies

...


will

...

not

...

be

...

asserted.

...

Also

...

note

...

that

...

this

...

attack

...

is

...

only

...

applicable

...

to

...


relatively

...

simple

...

services

...

that

...

can

...

be

...

mapped

...

to

...

a

...

URI

...

via

...

the

...


URIMappingInterceptor.

...

This

...

has

...

been

...

fixed

...

in

...

revisions:

...

http://svn.apache.org/viewvc?view=revision&revision=1409324

...

http://svn.apache.org/viewvc?view=revision&revision=1420698

...

Migration:

...

Although

...

this

...

issue

...

is

...

fixed

...

in

...

CXF

...

2.5.8,

...

2.6.5

...

and

...

2.7.2,

...

due

...

to

...

a

...

separate

...


security

...

vulnerability

...

(CVE-2013-0239),

...

CXF

...

users

...

should

...

upgrade

...

to

...

the

...


following

...

versions:

...

Users

...

of

...

CXF

...

prior

...

to

...

2.5.x

...

should

...

upgrade

...

to

...

either

...

2.5.9,

...

2.6.6,

...

or

...

2.7.3.

...


CXF

...

2.5.x

...

users

...

should

...

upgrade

...

to

...

2.5.9

...

as

...

soon

...

as

...

possible.

...


CXF

...

2.6.x

...

users

...

should

...

upgrade

...

to

...

2.6.6

...

as

...

soon

...

as

...

possible.

...


CXF

...

2.7.x

...

users

...

should

...

upgrade

...

to

...

2.7.3

...

as

...

soon

...

as

...

possible.

...

References:

...

http://cxf.apache.org/security-advisories.html

...

----

...

BEGIN

...

PGP

...

SIGNATURE----

...


Version:

...

GnuPG

...

v1.4.11

...

(GNU/Linux)

...

iQEcBAEBAgAGBQJRFM+PAAoJEGe/gLEK1TmDLW8IAKrzgMRi0avREKTbK3xwVcK4

...


OhpIc2ZckiHjuhTd4CAfR+8MblIx2aVKTywcIwbvSkwuqAj2YnHrc33RFLA2ifNU

...


00tKHlDfYWU2MzP+nPPHtgFMQbb9XclINLeCl8qiJAeZTW3gYOBEQ1XHL7yM1f8E

...


i3NSyIaIaRHmgB0IDWMNd1pQvkB6OrXJvxPWhkL6ea+GaCaC5+wInQWBWmNUOsj4

...


m/qnalxDgmRCHSLiHNw6N0l1Qb/nsL45MNvmLQglXZZAR1+npb1jtqega0DchFn7

...


ohEyVJpkFuASPcPsqeSpSbEYixjXSQCnJvw6RZlOvfXC7F6u49xjrRiskP/RBX0=

...


=IP0q

...


----

...

END

...

PGP

...

SIGNATURE----

...