----BEGIN PGP SIGNED MESSAGE----
CVE-2012-3451: Apache CXF is vulnerable to SOAP Action spoofing attacks on
Document Literal web services.
Vendor: The Apache Software Foundation
This vulnerability affects all released versions of Apache CXF.
Each operation in a SOAP web service can be associated with a SOAP Action
String (e.g. in the WSDL binding or via an annotation). The web service client
can send the SOAP Action String as a header with the request as a way of
letting the web service know what operation is required.
In some cases, CXF uses the received SOAP Action to select the correct
operation to invoke, and does not check to see that the message body is
correct. This can be exploitable to execute a SOAP Action spoofing attack,
where an adversary can execute another operation in the web service by sending
the corresponding SOAP Action. This attack only works if the different
operation takes the same parameter types, and hence has somewhat limited
This attack also only applies for web services that use unique SOAPActions per
service operation which is not the default in CXF. Also note that WS-Policy
validation is done against the operation being invoked and thus the incoming
message must meet those policy requirements as well, also limiting
This has been fixed in revision:
All released versions of CXF are affected.
Users of CXF prior to 2.4.x should upgrade to either 2.4.9, 2.5.5, or 2.6.2.
CXF 2.4.x users should upgrade to 2.4.9 as soon as possible.
CXF 2.5.x users should upgrade to 2.5.5 as soon as possible.
CXF 2.6.x users should upgrade to 2.6.2 as soon as possible.
----BEGIN PGP SIGNATURE----
Version: GnuPG v1.4.11 (GNU/Linux)
----END PGP SIGNATURE----