You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2013/02/08 12:48:00 UTC
svn commit: r849863 - in /websites/production/cxf/content:
cache/main.pageCache cve-2012-5633.html cve-2013-0239.html
security-advisories.html
Author: buildbot
Date: Fri Feb 8 11:48:00 2013
New Revision: 849863
Log:
Production update by buildbot for cxf
Added:
websites/production/cxf/content/cve-2012-5633.html
websites/production/cxf/content/cve-2013-0239.html
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/security-advisories.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added: websites/production/cxf/content/cve-2012-5633.html
==============================================================================
--- websites/production/cxf/content/cve-2012-5633.html (added)
+++ websites/production/cxf/content/cve-2012-5633.html Fri Feb 8 11:48:00 2013
@@ -0,0 +1,268 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+ <head>
+ <link type="text/css" rel="stylesheet" href="http://cxf.apache.org/resources/site.css">
+ <script src="http://cxf.apache.org/resources/space.js" type="text/javascript"></script>
+
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework - CVE-2012-5633">
+ <title>
+Apache CXF -- CVE-2012-5633
+ </title>
+ </head>
+<body onload="init()">
+
+
+<table width="100%" cellpadding="0" cellspacing="0">
+ <tr>
+ <td id="cell-0-0" colspan="2"> </td>
+ <td id="cell-0-1"> </td>
+ <td id="cell-0-2" colspan="2"> </td>
+ </tr>
+ <tr>
+ <td id="cell-1-0"> </td>
+ <td id="cell-1-1"> </td>
+ <td id="cell-1-2">
+ <div style="padding: 5px;">
+ <div id="banner">
+ <!-- Banner -->
+<div id="banner-content">
+<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
+<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="http://www.apache.org/" title="The Apache Software Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
+</td></tr></table>
+</div>
+ <!-- Banner -->
+ </div>
+ </div>
+ <div id="top-menu">
+ <table border="0" cellpadding="1" cellspacing="0" width="100%">
+ <tr>
+ <td>
+ <div align="left">
+ <!-- Breadcrumbs -->
+<a href="index.html">Index</a> > <a href="security-advisories.html">Security Advisories</a> > <a href="cve-2012-5633.html">CVE-2012-5633</a>
+ <!-- Breadcrumbs -->
+ </div>
+ </td>
+ <td>
+ <div align="right">
+ <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect" href="download.html" title="Download">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
+ <!-- Quicklinks -->
+ </div>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </td>
+ <td id="cell-1-3"> </td>
+ <td id="cell-1-4"> </td>
+ </tr>
+ <tr>
+ <td id="cell-2-0" colspan="2"> </td>
+ <td id="cell-2-1">
+ <table>
+ <tr valign="top">
+ <td height="100%">
+ <div id="wrapper-menu-page-right">
+ <div id="wrapper-menu-page-top">
+ <div id="wrapper-menu-page-bottom">
+ <div id="menu-page">
+ <!-- NavigationBar -->
+<div id="navigation"><h3><a shape="rect" name="Navigation-ApacheCXFIndex"></a><a shape="rect" href="index.html" title="Index">Apache CXF</a></h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="index.html" title="Index">Home</a></li><li><a shape="rect" href="download.html" title="Download">Download</a></li><li><a shape="rect" href="people.html" title="People">People</a></li><li><a shape="rect" href="project-status.html" title="Project Status">Project Status</a></li><li><a shape="rect" href="roadmap.html" title="Roadmap">Roadmap</a></li><li><a shape="rect" href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue Reporting</a></li><li><a shape="rect" href="special-thanks.html" title="Special Thanks">Special Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect" href="security-advisories.html" title="Security Advisories">Security Advisories</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Users"></a>Users</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's Guide</a></li><li><a shape="rect" href="support.html" title="Support">Support</a></li><li><a shape="rect" href="faq.html" title="FAQ">FAQ</a></li><li><a shape="rect" href="resources-and-articles.html" title="Resources and Articles">Resources and Articles</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Search"></a>Search</h3>
+
+<form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
+ <div>
+ <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
+ <input type="hidden" name="ie" value="UTF-8">
+ <input type="text" name="q" size="21">
+ <input type="submit" name="sa" value="Search">
+ </div>
+</form>
+<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script>
+
+
+<h3><a shape="rect" name="Navigation-Developers"></a>Developers</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture Guide</a></li><li><a shape="rect" href="source-repository.html" title="Source Repository">Source Repository</a></li><li><a shape="rect" href="building.html" title="Building">Building</a></li><li><a shape="rect" href="automated-builds.html" title="Automated Builds">Automated Builds</a></li><li><a shape="rect" href="testing-debugging.html" title="Testing-Debugging">Testing-Debugging</a></li><li><a shape="rect" href="coding-guidelines.html" title="Coding Guidelines">Coding Guidelines</a></li><li><a shape="rect" href="getting-involved.html" title="Getting Involved">Getting Involved</a></li><li><a shape="rect" href="release-management.html" title="Release Management">Release Management</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Subprojects"></a>Subprojects</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="distributed-osgi.html" title="Distributed OSGi">Distributed OSGi</a></li><li><a shape="rect" href="xjc-utils.html" title="XJC Utils">XJC Utils</a></li><li><a shape="rect" href="build-utils.html" title="Build Utils">Build Utils</a></li><li><a shape="rect" href="fediz.html" title="Fediz">Fediz</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-ASF"></a><a shape="rect" class="external-link" href="http://www.apache.org">ASF</a></h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/">Foundation</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/sponsorship.html">Sponsor Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul>
+</div>
+ <!-- NavigationBar -->
+ </div>
+ </div>
+ </div>
+ </div>
+ </td>
+ <td height="100%">
+ <!-- Content -->
+ <div class="wiki-content">
+<div id="ConfluenceContent"><p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br clear="none">
+Hash: SHA1</p>
+
+
+<p>CVE-2012-5633: WSS4JInInterceptor always allows HTTP Get requests from browser </p>
+
+<p>Severity: Critical</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected:</p>
+
+<p>This vulnerability affects all versions of Apache CXF prior to 2.5.8, 2.6.5<br clear="none">
+and 2.7.2. CXF 2.7.1 is not affected by default, however the vulnerability<br clear="none">
+exists if you are explicitly adding the URIMappingInterceptor to the default<br clear="none">
+chain.</p>
+
+<p>Description:</p>
+
+<p>The URIMappingInterceptor in CXF is a legacy interceptor that allows some basic<br clear="none">
+"rest style" access to a simple SOAP service. The functionality provided by<br clear="none">
+this interceptor has since been replaced by the JAX-RS standard.</p>
+
+<p>An example of how this interceptor works is as follows. A simple "double it"<br clear="none">
+webservice is defined as:</p>
+
+<p>@WebService(name = "DoubleItPortType")<br clear="none">
+public interface DoubleItPortType </p>
+<div class="error"><span class="error">Unknown macro: {
+ @WebMethod(operationName = "DoubleIt")
+ public int doubleIt(
+ @WebParam(name = "numberToDouble") int numberToDouble
+ );
+}</span> </div>
+
+<p>The URIMappingInterceptor can allow a REST client access the service via a GET<br clear="none">
+request to a URL like:</p>
+
+<p><a shape="rect" class="external-link" href="http://localhost:8080/DoubleItPort/DoubleIt&numberToDouble=20" rel="nofollow">http://localhost:8080/DoubleItPort/DoubleIt&numberToDouble=20</a></p>
+
+<p>The vulnerability is when a simple SOAP service is secured with the<br clear="none">
+WSS4JInInterceptor, which enables WS-Security processing of the request. <br clear="none">
+WS-Security processing is completely by-passed in the case of a HTTP GET<br clear="none">
+request, and so access to the service can be enabled by the<br clear="none">
+URIMappingInterceptor.</p>
+
+<p>This is a critical vulnerability if you are using a WS-Security UsernameToken<br clear="none">
+or a SOAP message signature via the WSS4JInInterceptor to authenticate users<br clear="none">
+for a simple SOAP service. Please note that this advisory does not apply if <br clear="none">
+you are using WS-SecurityPolicy to secure the service, as the relevant policies<br clear="none">
+will not be asserted. Also note that this attack is only applicable to <br clear="none">
+relatively simple services that can be mapped to a URI via the<br clear="none">
+URIMappingInterceptor.</p>
+
+<p>This has been fixed in revisions:</p>
+
+<p><a shape="rect" class="external-link" href="http://svn.apache.org/viewvc?view=revision&revision=1409324">http://svn.apache.org/viewvc?view=revision&revision=1409324</a>
+<a shape="rect" class="external-link" href="http://svn.apache.org/viewvc?view=revision&revision=1420698">http://svn.apache.org/viewvc?view=revision&revision=1420698</a></p>
+
+<p>Migration:</p>
+
+<p>Although this issue is fixed in CXF 2.5.8, 2.6.5 and 2.7.2, due to a separate<br clear="none">
+security vulnerability (CVE-2013-0239), CXF users should upgrade to the<br clear="none">
+following versions:</p>
+
+<p>Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.<br clear="none">
+CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.<br clear="none">
+CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.<br clear="none">
+CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.</p>
+
+<p>References: <a shape="rect" href="http://cxf.apache.org/security-advisories.html">http://cxf.apache.org/security-advisories.html</a></p>
+
+<p>----<del>BEGIN PGP SIGNATURE</del>----<br clear="none">
+Version: GnuPG v1.4.11 (GNU/Linux)</p>
+
+<p>iQEcBAEBAgAGBQJRFM+PAAoJEGe/gLEK1TmDLW8IAKrzgMRi0avREKTbK3xwVcK4<br clear="none">
+OhpIc2ZckiHjuhTd4CAfR+8MblIx2aVKTywcIwbvSkwuqAj2YnHrc33RFLA2ifNU<br clear="none">
+00tKHlDfYWU2MzP+nPPHtgFMQbb9XclINLeCl8qiJAeZTW3gYOBEQ1XHL7yM1f8E<br clear="none">
+i3NSyIaIaRHmgB0IDWMNd1pQvkB6OrXJvxPWhkL6ea+GaCaC5+wInQWBWmNUOsj4<br clear="none">
+m/qnalxDgmRCHSLiHNw6N0l1Qb/nsL45MNvmLQglXZZAR1+npb1jtqega0DchFn7<br clear="none">
+ohEyVJpkFuASPcPsqeSpSbEYixjXSQCnJvw6RZlOvfXC7F6u49xjrRiskP/RBX0=<br clear="none">
+=IP0q<br clear="none">
+----<del>END PGP SIGNATURE</del>----</p></div>
+ </div>
+ <!-- Content -->
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td id="cell-2-2" colspan="2"> </td>
+ </tr>
+ <tr>
+ <td id="cell-3-0"> </td>
+ <td id="cell-3-1"> </td>
+ <td id="cell-3-2">
+ <div id="footer">
+ <!-- Footer -->
+ <div id="site-footer">
+ <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> -
+ (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=30752793">edit page</a>)
+ (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=30752793&showComments=true&showCommentArea=true#addcomment">add comment</a>)<br>
+ Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
+ All other marks mentioned may be trademarks or registered trademarks of their respective owners.
+ </div>
+ <!-- Footer -->
+ </div>
+ </td>
+ <td id="cell-3-3"> </td>
+ <td id="cell-3-4"> </td>
+ </tr>
+ <tr>
+ <td id="cell-4-0" colspan="2"> </td>
+ <td id="cell-4-1"> </td>
+ <td id="cell-4-2" colspan="2"> </td>
+ </tr>
+</table>
+
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
+document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
+</script>
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+pageTracker._trackPageview();
+} catch(err) {}</script>
+
+</body>
+</html>
+
Added: websites/production/cxf/content/cve-2013-0239.html
==============================================================================
--- websites/production/cxf/content/cve-2013-0239.html (added)
+++ websites/production/cxf/content/cve-2013-0239.html Fri Feb 8 11:48:00 2013
@@ -0,0 +1,262 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+ <head>
+ <link type="text/css" rel="stylesheet" href="http://cxf.apache.org/resources/site.css">
+ <script src="http://cxf.apache.org/resources/space.js" type="text/javascript"></script>
+
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework - CVE-2013-0239">
+ <title>
+Apache CXF -- CVE-2013-0239
+ </title>
+ </head>
+<body onload="init()">
+
+
+<table width="100%" cellpadding="0" cellspacing="0">
+ <tr>
+ <td id="cell-0-0" colspan="2"> </td>
+ <td id="cell-0-1"> </td>
+ <td id="cell-0-2" colspan="2"> </td>
+ </tr>
+ <tr>
+ <td id="cell-1-0"> </td>
+ <td id="cell-1-1"> </td>
+ <td id="cell-1-2">
+ <div style="padding: 5px;">
+ <div id="banner">
+ <!-- Banner -->
+<div id="banner-content">
+<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
+<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="http://www.apache.org/" title="The Apache Software Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
+</td></tr></table>
+</div>
+ <!-- Banner -->
+ </div>
+ </div>
+ <div id="top-menu">
+ <table border="0" cellpadding="1" cellspacing="0" width="100%">
+ <tr>
+ <td>
+ <div align="left">
+ <!-- Breadcrumbs -->
+<a href="index.html">Index</a> > <a href="security-advisories.html">Security Advisories</a> > <a href="cve-2013-0239.html">CVE-2013-0239</a>
+ <!-- Breadcrumbs -->
+ </div>
+ </td>
+ <td>
+ <div align="right">
+ <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect" href="download.html" title="Download">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
+ <!-- Quicklinks -->
+ </div>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </td>
+ <td id="cell-1-3"> </td>
+ <td id="cell-1-4"> </td>
+ </tr>
+ <tr>
+ <td id="cell-2-0" colspan="2"> </td>
+ <td id="cell-2-1">
+ <table>
+ <tr valign="top">
+ <td height="100%">
+ <div id="wrapper-menu-page-right">
+ <div id="wrapper-menu-page-top">
+ <div id="wrapper-menu-page-bottom">
+ <div id="menu-page">
+ <!-- NavigationBar -->
+<div id="navigation"><h3><a shape="rect" name="Navigation-ApacheCXFIndex"></a><a shape="rect" href="index.html" title="Index">Apache CXF</a></h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="index.html" title="Index">Home</a></li><li><a shape="rect" href="download.html" title="Download">Download</a></li><li><a shape="rect" href="people.html" title="People">People</a></li><li><a shape="rect" href="project-status.html" title="Project Status">Project Status</a></li><li><a shape="rect" href="roadmap.html" title="Roadmap">Roadmap</a></li><li><a shape="rect" href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue Reporting</a></li><li><a shape="rect" href="special-thanks.html" title="Special Thanks">Special Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect" href="security-advisories.html" title="Security Advisories">Security Advisories</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Users"></a>Users</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's Guide</a></li><li><a shape="rect" href="support.html" title="Support">Support</a></li><li><a shape="rect" href="faq.html" title="FAQ">FAQ</a></li><li><a shape="rect" href="resources-and-articles.html" title="Resources and Articles">Resources and Articles</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Search"></a>Search</h3>
+
+<form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
+ <div>
+ <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
+ <input type="hidden" name="ie" value="UTF-8">
+ <input type="text" name="q" size="21">
+ <input type="submit" name="sa" value="Search">
+ </div>
+</form>
+<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script>
+
+
+<h3><a shape="rect" name="Navigation-Developers"></a>Developers</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture Guide</a></li><li><a shape="rect" href="source-repository.html" title="Source Repository">Source Repository</a></li><li><a shape="rect" href="building.html" title="Building">Building</a></li><li><a shape="rect" href="automated-builds.html" title="Automated Builds">Automated Builds</a></li><li><a shape="rect" href="testing-debugging.html" title="Testing-Debugging">Testing-Debugging</a></li><li><a shape="rect" href="coding-guidelines.html" title="Coding Guidelines">Coding Guidelines</a></li><li><a shape="rect" href="getting-involved.html" title="Getting Involved">Getting Involved</a></li><li><a shape="rect" href="release-management.html" title="Release Management">Release Management</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Subprojects"></a>Subprojects</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="distributed-osgi.html" title="Distributed OSGi">Distributed OSGi</a></li><li><a shape="rect" href="xjc-utils.html" title="XJC Utils">XJC Utils</a></li><li><a shape="rect" href="build-utils.html" title="Build Utils">Build Utils</a></li><li><a shape="rect" href="fediz.html" title="Fediz">Fediz</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-ASF"></a><a shape="rect" class="external-link" href="http://www.apache.org">ASF</a></h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/">Foundation</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/sponsorship.html">Sponsor Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul>
+</div>
+ <!-- NavigationBar -->
+ </div>
+ </div>
+ </div>
+ </div>
+ </td>
+ <td height="100%">
+ <!-- Content -->
+ <div class="wiki-content">
+<div id="ConfluenceContent"><p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br clear="none">
+Hash: SHA1</p>
+
+
+<p>CVE-2013-0239: Authentication bypass in the case of WS-SecurityPolicy enabled<br clear="none">
+plaintext UsernameTokens.</p>
+
+<p>Severity: Critical</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected:</p>
+
+<p>This vulnerability affects all versions of Apache CXF prior to 2.5.9, 2.6.6<br clear="none">
+and 2.7.3. </p>
+
+<p>Description:</p>
+
+<p>The following WS-SecurityPolicy 1.3 fragment requires that a WS-Security<br clear="none">
+UsernameToken must be present in the security header of a SOAP request:</p>
+
+<p><sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"><br clear="none">
+ <wsp:Policy><br clear="none">
+ <sp:WssUsernameToken10/><br clear="none">
+ </wsp:Policy><br clear="none">
+</sp:UsernameToken></p>
+
+<p>If a UsernameToken element is sent with no password child element, then a<br clear="none">
+policy similar to the policy defined above will completely bypass<br clear="none">
+authentication by default. This is due to the use-case of supporting deriving<br clear="none">
+keys from a UsernameToken, where a password element would not be sent in the<br clear="none">
+token.</p>
+
+<p>The vulnerability does not apply in any of the following circumstances:</p>
+
+<p> a) You are using a custom UsernameTokenValidator which does not allow the<br clear="none">
+ 'verifyUnknownPassword' use-case, or that otherwise insists that a password<br clear="none">
+ must be present in the token (such as the 'JAASUsernameTokenValidator' in<br clear="none">
+ WSS4J).<br clear="none">
+ b) You are using a 'sp:HashPassword' policy that requires a hashed password<br clear="none">
+ to be present in the token.<br clear="none">
+ c) You are using the older style of configuring WS-Security without using<br clear="none">
+ WS-SecurityPolicy.</p>
+
+<p>If you are relying on WS-SecurityPolicy enabled plaintext UsernameTokens to<br clear="none">
+authenticate users, and if neither points a) nor b) apply, then you must<br clear="none">
+upgrade to a fixed version of CXF (see below), or else configure a custom<br clear="none">
+UsernameTokenValidator implementation to insist that a password element must<br clear="none">
+be present.</p>
+
+<p>The fix has been to require a password element in the case of a (non-endorsing)<br clear="none">
+SupportingToken.</p>
+
+<p>This has been fixed in revisions:</p>
+
+<p><a shape="rect" class="external-link" href="http://svn.apache.org/viewvc?view=revision&revision=1438424">http://svn.apache.org/viewvc?view=revision&revision=1438424</a></p>
+
+<p>Migration:</p>
+
+<p>Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.<br clear="none">
+CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.<br clear="none">
+CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.<br clear="none">
+CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.</p>
+
+<p>References: <a shape="rect" href="http://cxf.apache.org/security-advisories.html">http://cxf.apache.org/security-advisories.html</a></p>
+
+<p>----<del>BEGIN PGP SIGNATURE</del>----<br clear="none">
+Version: GnuPG v1.4.11 (GNU/Linux)</p>
+
+<p>iQEcBAEBAgAGBQJRFM+nAAoJEGe/gLEK1TmDf/gIAJFUWpot4X9xtbJ5SfEqGwlY<br clear="none">
++FUoeaSuzqyVLmEPhas6eDIrwONDOrQJC9VO6fyJGMtk6rrPtbmcbRGosjb+bSJF<br clear="none">
+fpi0aHTvJdZMv2FGWkUHbpJhn0nnmM3BzgKcDhh1GTKDhiDhn4xdD+TKxNQ+xuML<br clear="none">
+KjSP6SWXCCL6jvPuu90zPPkyTX3BlR8Mxzr1OxmiGKkU2uB8Mnx+KLgMjDkV/9uf<br clear="none">
++dApxPsqGgtDbETt1RYRrRKGW8S2YSQ61Kmf9Ce5Ewd+pcv3KRxhmerfAf6AwypD<br clear="none">
+DhiXacDlm0kjH02fWFbddMKQoL4IxbRmLV8cJSRI6mJ45Fi+r+SlLa2/g7PUxOg=<br clear="none">
+=NqSU<br clear="none">
+----<del>END PGP SIGNATURE</del>----</p></div>
+ </div>
+ <!-- Content -->
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td id="cell-2-2" colspan="2"> </td>
+ </tr>
+ <tr>
+ <td id="cell-3-0"> </td>
+ <td id="cell-3-1"> </td>
+ <td id="cell-3-2">
+ <div id="footer">
+ <!-- Footer -->
+ <div id="site-footer">
+ <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> -
+ (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=30752795">edit page</a>)
+ (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=30752795&showComments=true&showCommentArea=true#addcomment">add comment</a>)<br>
+ Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
+ All other marks mentioned may be trademarks or registered trademarks of their respective owners.
+ </div>
+ <!-- Footer -->
+ </div>
+ </td>
+ <td id="cell-3-3"> </td>
+ <td id="cell-3-4"> </td>
+ </tr>
+ <tr>
+ <td id="cell-4-0" colspan="2"> </td>
+ <td id="cell-4-1"> </td>
+ <td id="cell-4-2" colspan="2"> </td>
+ </tr>
+</table>
+
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
+document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
+</script>
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+pageTracker._trackPageview();
+} catch(err) {}</script>
+
+</body>
+</html>
+
Modified: websites/production/cxf/content/security-advisories.html
==============================================================================
--- websites/production/cxf/content/security-advisories.html (original)
+++ websites/production/cxf/content/security-advisories.html Fri Feb 8 11:48:00 2013
@@ -136,7 +136,7 @@ Apache CXF -- Security Advisories
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><ul><li><a shape="rect" href="note-on-cve-2011-2487.html" title="Note on CVE-2011-2487">Note on CVE-2011-2487</a> - Bleichenbacher attack against distributed symmetric key in WS-Security.</li><li><a shape="rect" href="cve-2012-3451.html" title="CVE-2012-3451">CVE-2012-3451</a> - Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.</li><li><a shape="rect" href="cve-2012-2379.html" title="CVE-2012-2379">CVE-2012-2379</a> - Apache CXF does not verify that elements were signed or encrypted by a particular Supporting Token.</li><li><a shape="rect" href="cve-2012-2378.html" title="CVE-2012-2378">CVE-2012-2378</a> - Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.</li><li><a shape="rect" href="note-on-cve-2011-1096.html" title="Note on CVE-2011-1096">Note on CVE-2011-1096</a> - XML Encryption flaw / Character pattern encoding attack.</li><l
i><a shape="rect" href="cve-2012-0803.html" title="CVE-2012-0803">CVE-2012-0803</a> - Apache CXF does not validate UsernameToken policies correctly.</li><li><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf">CVE-2010-2076</a> - DTD based XML attacks.</li></ul>
+<div id="ConfluenceContent"><ul><li><a shape="rect" href="cve-2013-0239.html" title="CVE-2013-0239">CVE-2013-0239</a> - Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.</li><li><a shape="rect" href="cve-2012-5633.html" title="CVE-2012-5633">CVE-2012-5633</a> - WSS4JInInterceptor always allows HTTP Get requests from browser.</li><li><a shape="rect" href="note-on-cve-2011-2487.html" title="Note on CVE-2011-2487">Note on CVE-2011-2487</a> - Bleichenbacher attack against distributed symmetric key in WS-Security.</li><li><a shape="rect" href="cve-2012-3451.html" title="CVE-2012-3451">CVE-2012-3451</a> - Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.</li><li><a shape="rect" href="cve-2012-2379.html" title="CVE-2012-2379">CVE-2012-2379</a> - Apache CXF does not verify that elements were signed or encrypted by a particular Supporting Token.</li><li><a shape="rect" href="cve-2012-2378.html" title="CVE
-2012-2378">CVE-2012-2378</a> - Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.</li><li><a shape="rect" href="note-on-cve-2011-1096.html" title="Note on CVE-2011-1096">Note on CVE-2011-1096</a> - XML Encryption flaw / Character pattern encoding attack.</li><li><a shape="rect" href="cve-2012-0803.html" title="CVE-2012-0803">CVE-2012-0803</a> - Apache CXF does not validate UsernameToken policies correctly.</li><li><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf">CVE-2010-2076</a> - DTD based XML attacks.</li></ul>
</div>
</div>
<!-- Content -->