-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2014-0034: The SecurityTokenService accepts certain invalid SAML Tokens as valid

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.6.12
and 2.7.9.

Description:

The SecurityTokenService (STS) provided as part of Apache CXF has bindings to
issue, validate, renew and cancel tokens. The main use-case is to issue SAML
tokens. However, a less common use-case is to use the STS to validate SAML
tokens. The vulnerability is that there are certain circumstances in which the
STS will accept an invalid SAML token as valid if caching is enabled.

This has been fixed in revisions:

http://svn.apache.org/viewvc?view=revision&revision=1551228

Migration:

Although this vulnerability has been fixed in CXF 2.6.12 and 2.7.9, due to 
other security advisories it is recommended to upgrade to the following
releases:

CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.

References: http://cxf.apache.org/security-advisories.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJTPq+DAAoJEGe/gLEK1TmDkYIH/jZzuSAA43eI/MhFRuFDEpIJ
/xI7xCk1jzFxoWNY9wBYdleYsI67Fwg6IZ6wyLuATicZRJxR+XVOMtglT7NLU4hd
ucml3AU8ahUNANebttK8/uJMXVmGRYq5YrcQivkz+D2Z57GFLYP4xD16RlSRoQ8u
14f47wgoDw3P6S1daRGnJTG03A1re+iTADPuFvB4njMCGHQN2a0+3KzD15NZHEhF
owN0BEj7T2tAVAOBgLqy9n9XbnmmXIUgKXaqyfYmZOi4wy7oCHYC+yPt5fiaAhvL
TtzE7SjiPw6GAzC5NMSpjJYoPp8t1CaCwvnG8R0vOKgKtz6B6xT5rNBPNctkO8A=
=b4dY
-----END PGP SIGNATURE-----