-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2017-3156: Apache CXF OAuth2 Hawk and JOSE MAC Validation code is vulnerable to the timing attacks

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.0.13, 3.1.10.

Description:

Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature
comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect 
OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMac secret key algorithms.


This has been fixed in revisions:

CXF 3.1.x:
http://git-wip-us.apache.org/repos/asf/cxf/commit/555843f9

CXF 3.0.x
http://git-wip-us.apache.org/repos/asf/cxf/commit/1338469f

CXF 3.2.0-SNAPSHOT (master):
http://git-wip-us.apache.org/repos/asf/cxf/commit/e66ce235


Credit: 
The issue was reported and the patch provided by Richard Kettelerij.

Migration:

CXF 3.0.x users should upgrade to 3.0.13 or later as soon as possible.
CXF 3.1.x users should upgrade to 3.1.10 or later as soon as possible.

References: http://cxf.apache.org/security-advisories.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAliq0rIACgkQmcduTd7eq5LohQCgkIiSd26xoIzt/+Pi0r8ri0HD
bbQAn3C5Y8DNes7QGRUP6Dv1hVRrmP2y
=0YqU
-----END PGP SIGNATURE-----