-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2014-3623: Apache CXF does not properly enforce the security semantics of
SAML SubjectConfirmation methods when used with the TransportBinding

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.7.13 and
3.0.2.

Description:

There are different security requirements associated with SAML
SubjectConfirmation methods. These security requirements are not properly
enforced in Apache CXF when used with the TransportBinding, leaving endpoints
that rely on SAML for authentication vulnerable to types of spoofing attacks.

This has been fixed in revisions (in Apache WSS4J):

http://svn.apache.org/viewvc?view=revision&revision=1624308
http://svn.apache.org/viewvc?view=revision&revision=1624287
http://svn.apache.org/viewvc?view=revision&revision=1624262

Migration:

CXF 2.7.x users should upgrade to 2.7.13 or later as soon as possible.
CXF 3.0.x users should upgrade to 3.0.2 or later as soon as possible.

Credit: This issue was reported by Dario Amiri (GE Global Research)

References: http://cxf.apache.org/security-advisories.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUNAHXAAoJEGe/gLEK1TmD0WIH/jOJNzXZDV8eZBK8+rBCshxH
b2d6w8+aKTaWglMDCEVpPh7EPEDhiOaLeqsN9pfHiuqNSqXX49hFaEDvdN5+7N9Q
21tekKmAP2zuYuVzTgNmrsltUPD4CTb6sH5thecag28XPdbci/fD3LRbKmJtnbpi
zmszV3h9tTd23Dk/O33ehyLeh2Y4xIx3vodACO0GtHWhOmLs46Gy56MY1kfkWryG
bcYCPSSOJ1VN9KVJJAha00zk4xK51gFcdGB5Wm4QxfVcnMJ4Fk3KKM6Y4+UgTJfX
f3xjggCa5DwooZH7NWiccDZ1IMVND4CZ+K/GhLTLAfIL/Sxvd8c1lkFW8NERAeE=
=is33
-----END PGP SIGNATURE-----