-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2017-5653: Apache CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted.

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.1.11 and
3.0.13.

Description:

Apache CXF supports the ability to use XML Signature and encryption to secure
JAX-RS services. Two different implementations are available, a DOM based 
approach that works on a model of the message in memory before applying
security, and a streaming based implementation that is a useful alternative
for larger messages.

There is a bug in validating messages for JAX-RS clients using the streaming
approach, where it will not enforce that the message is signed and/or
encrypted. An exception is thrown in these cases but not properly propagated
to the client code. The bug does not apply for the DOM clients and it does not
apply for the streaming server side case.

This has been fixed in revision:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165

Migration:

Apache CXF users should upgrade to 3.1.11 or 3.0.13 or later as soon as
possible. In addition, instead of adding the JAX-RS XmlSecInInterceptor to the
CXF in-interceptor chain for the client, it is necessary to add it as a 
JAX-RS provider instead.

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJY8OBOAAoJEGe/gLEK1TmDMa0H/Rugu02xhfi2Iih0INf0j3F3
kWWCOEzyrbecdYDeJDsI6UB0djIugDlOyrN0KizD20dz9MMWLsmveao7i9D90pCH
GbNbAb8r1DkpMdH31G2bqueQ2dM6vpYfuvNwVRlLGajGro59YrWzD2D17CVGDtvY
ceKqYn1530Md9y2x1DY+vE4HaBsDtL+CmGK459AP09h4eflYvjfa5Y7v1tsZDosR
N9JjaN0XVNnAyOz8QVqCC1dugIqsGMelfEc+WKKxAn+tkC5PZrjoRtOgkHwVfr1v
FSLfbI8JajjNcxUz/d5y9jY/OIEWbeRukmHv9nLT+2RQFZfxtY+Kpp8vr/SuLwQ=
=/38f
-----END PGP SIGNATURE-----