-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2017-12631: CSRF vulnerabilities in the Apache CXF Fediz Spring plugins.

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF Fediz prior to 1.4.3
and 1.3.3.

Description:

Apache CXF Fediz ships with a number of container-specific plugins to enable
WS-Federation for applications. A CSRF (Cross Style Request Forgery) style
vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins.
The vulnerability can result in a security context that is set up using a
malicious client's roles for the given enduser.

Please note that this is a separate security advisory to a previous advisory
(CVE-2017-7661) that covered another type of CSRF attack on the Spring plugins.

This has been fixed in revision:

https://github.com/apache/cxf-fediz/commit/e7127129dbc0f4ee83985052085e185e750cebbf

Migration:

Apache CXF Fediz users should upgrade to 1.4.3 or 1.3.3 as soon as possible if
they are using either the Spring 2, Spring 3 or Spring 4 plugins. 

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJaH9tqAAoJEGe/gLEK1TmDyYIH/jeSMNdErdBQwqfRpW3lDPGj
159hXiQqHN8KtweYztnCw5W1RnwZaKsipR97Ux+hPM4NVNYKBr0PsHj4gkTW/E4J
e+5ZDsr6pKDw9hQWSKtfH5yqC34jqghW509yeAWQ0toQSO+73cIn1CTR1wVXX54k
mGhj9oSMHdDsSg3M3mFu2EE01KOE2ZlwcIjVPVBdIgFB4rUl+WoBHbu1BYTYxzgd
dA8RXqB3Rh9+KHUcN+JHrlnT8RckxNUz1IroSgiN0WAiCuZDcLGTJXqSci3iUWzn
hIcUyF+btbUvJIcyRXMhWaZU3+8TS0iuvnoaZdLQfhJcd5YnQffv+USg86Eg4Ts=
=V3pI
-----END PGP SIGNATURE-----