Re: New security advisories for Apache CXF

[Colm O hEigeartaigh <co...@apache.org>]

Hi Dennis,

The Apache security team suggested I document my objection to the CVE in a
public place (this mailing list for example) before informing Mitre that
the CVE is disputed. So I'll do that in this post.

A security advisory was issued for Apache CXF back in 2012, where the
advisory itself was never agreed upon with the Apache CXF PMC:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5786

In a nutshell, the advisory was that a sample that shipped with CXF had a
flag enabled which bypassed checking the DN check for a TLS certificate. We
since removed this flag from the sample configuration to prevent a user
unwittingly copying the configuration when setting up a deployment.
However, the fact remains that the issue reported was not a vulnerability
in CXF itself.

The issue has resurfaced recently in the context of the Maven Owasp
dependency checker, which downloads the advisory and is telling users of
(old) versions of CXF that there is a vulnerability associated with the
version they are using, when clearly there is not.

Colm.

On Wed, Apr 19, 2017 at 3:04 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:

> Thanks, I'm going to ask the Apache security team for some advice on how
> to handle this.
>
> Colm.
>
> On Wed, Apr 19, 2017 at 12:30 PM, Dennis Kieselhorst <de...@apache.org>
> wrote:
>
>> > Could you file an issue with the OWasp plugin instead to remove this CVE
>> > from their list (if this is possible - I'm not sure how they are pulling
>> > down advisories)?
>>
>> The plugin downloads the NVD CVE data hosted by NIST.
>>
>> So to get rid of it, the configuration pattern
>> cpe:2.3:a:apache:cxf:-:*:*:*:*:*:*:* needs to be changed:
>> https://nvd.nist.gov/vuln/detail/CVE-2012-5786
>>
>> No idea how to achieve that.
>>
>> Regards
>> Dennis
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com