-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2017-5656: Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens. 

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.1.11 and
3.0.13.

Description:

An Apache CXF endpoint can be used as an intermediary, where a token credential
from the received message is used as a delegation token to obtain a new token
from a Security Token Service (STS) for the outbound request.

By default, the token retrieved from the STS is cached and associated with the
delegation token via an identifier extracted from the delegation token. 

However, there is a weakness in how the identifier is extracted from the
delegation token, which means that an attacker could craft a token which 
would return an identifer corresponding to a cached token for another user.

This has been fixed in revision:

https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=commit;h=66c2c5b9

Migration:

Apache CXF users should upgrade to 3.1.11 or 3.0.13 or later as soon as
possible.

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJY8OBVAAoJEGe/gLEK1TmD/8wIAIHBgZE2PEfvnltqUCkaJDKJ
2FxI5CYZBuSS2W5JQxPu9BOVBzFE4q1EhNpFklbV/0xucuSq7aM7QKmCkj1DJ5kV
ftdJomkzb1WWecKcuTb/rdip0i+DeaOcz8f7Q7vRxoFm9080obzYrjsA1i6bgcSL
gkCd+OegoaZpOfcvZl+sXLXCGb49uJHaZA9YWVrukOBRuKzxMqHSQTYYW996a63N
hLkMIChKDNyihSWU8niuvEw35apjFeo6GXwDHfvn4XhBNf3OtgBVQQpP7PGKJmA5
rEh2HlFhUzEBlzELIiC6sbpLxuj1gdOEjUWE4OjJb9sSfel07ZbNTjVxmN3wgjU=
=HOyH
-----END PGP SIGNATURE-----