----BEGIN PGP SIGNED MESSAGE----
Hash: SHA1

CVE-2012-5633: WSS4JInInterceptor always allows HTTP Get requests from browser

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.5.8, 2.6.5
and 2.7.2. CXF 2.7.1 is not affected by default, however the vulnerability
exists if you are explicitly adding the URIMappingInterceptor to the default
chain.

Description:

The URIMappingInterceptor in CXF is a legacy interceptor that allows some basic
"rest style" access to a simple SOAP service. The functionality provided by
this interceptor has since been replaced by the JAX-RS standard.

An example of how this interceptor works is as follows. A simple "double it"
webservice is defined as:

@WebService(name = "DoubleItPortType")
public interface DoubleItPortType {
@WebMethod(operationName = "DoubleIt")
public int doubleIt(
@WebParam(name = "numberToDouble") int numberToDouble
);
}

The URIMappingInterceptor can allow a REST client access the service via a GET
request to a URL like:

http://localhost:8080/DoubleItPort/DoubleIt&numberToDouble=20

The vulnerability is when a simple SOAP service is secured with the
WSS4JInInterceptor, which enables WS-Security processing of the request.
WS-Security processing is completely by-passed in the case of a HTTP GET
request, and so access to the service can be enabled by the
URIMappingInterceptor.

This is a critical vulnerability if you are using a WS-Security UsernameToken
or a SOAP message signature via the WSS4JInInterceptor to authenticate users
for a simple SOAP service. Please note that this advisory does not apply if
you are using WS-SecurityPolicy to secure the service, as the relevant policies
will not be asserted. Also note that this attack is only applicable to
relatively simple services that can be mapped to a URI via the
URIMappingInterceptor.

This has been fixed in revisions:

http://svn.apache.org/viewvc?view=revision&revision=1409324 http://svn.apache.org/viewvc?view=revision&revision=1420698

Migration:

Although this issue is fixed in CXF 2.5.8, 2.6.5 and 2.7.2, due to a separate
security vulnerability (CVE-2013-0239), CXF users should upgrade to the
following versions:

Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.
CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.
CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.
CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.

References: http://cxf.apache.org/security-advisories.html

----BEGIN PGP SIGNATURE----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJRFM+PAAoJEGe/gLEK1TmDLW8IAKrzgMRi0avREKTbK3xwVcK4
OhpIc2ZckiHjuhTd4CAfR+8MblIx2aVKTywcIwbvSkwuqAj2YnHrc33RFLA2ifNU
00tKHlDfYWU2MzP+nPPHtgFMQbb9XclINLeCl8qiJAeZTW3gYOBEQ1XHL7yM1f8E
i3NSyIaIaRHmgB0IDWMNd1pQvkB6OrXJvxPWhkL6ea+GaCaC5+wInQWBWmNUOsj4
m/qnalxDgmRCHSLiHNw6N0l1Qb/nsL45MNvmLQglXZZAR1+npb1jtqega0DchFn7
ohEyVJpkFuASPcPsqeSpSbEYixjXSQCnJvw6RZlOvfXC7F6u49xjrRiskP/RBX0=
=IP0q
----END PGP SIGNATURE----