----BEGIN PGP SIGNED MESSAGE----
Hash: SHA1

CVE-2013-0239: Authentication bypass in the case of WS-SecurityPolicy enabled
plaintext UsernameTokens.

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.5.9, 2.6.6
and 2.7.3.

Description:

The following WS-SecurityPolicy 1.3 fragment requires that a WS-Security
UsernameToken must be present in the security header of a SOAP request:

<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>

If a UsernameToken element is sent with no password child element, then a
policy similar to the policy defined above will completely bypass
authentication by default. This is due to the use-case of supporting deriving
keys from a UsernameToken, where a password element would not be sent in the
token.

The vulnerability does not apply in any of the following circumstances:

a) You are using a custom UsernameTokenValidator which does not allow the
'verifyUnknownPassword' use-case, or that otherwise insists that a password
must be present in the token (such as the 'JAASUsernameTokenValidator' in
WSS4J).
b) You are using a 'sp:HashPassword' policy that requires a hashed password
to be present in the token.
c) You are using the older style of configuring WS-Security without using
WS-SecurityPolicy.

If you are relying on WS-SecurityPolicy enabled plaintext UsernameTokens to
authenticate users, and if neither points a) nor b) apply, then you must
upgrade to a fixed version of CXF (see below), or else configure a custom
UsernameTokenValidator implementation to insist that a password element must
be present.

The fix has been to require a password element in the case of a (non-endorsing)
SupportingToken.

This has been fixed in revisions:

http://svn.apache.org/viewvc?view=revision&revision=1438424

Migration:

Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.
CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.
CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.
CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.

References: http://cxf.apache.org/security-advisories.html

----BEGIN PGP SIGNATURE----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJRFM+nAAoJEGe/gLEK1TmDf/gIAJFUWpot4X9xtbJ5SfEqGwlY
+FUoeaSuzqyVLmEPhas6eDIrwONDOrQJC9VO6fyJGMtk6rrPtbmcbRGosjb+bSJF
fpi0aHTvJdZMv2FGWkUHbpJhn0nnmM3BzgKcDhh1GTKDhiDhn4xdD+TKxNQ+xuML
KjSP6SWXCCL6jvPuu90zPPkyTX3BlR8Mxzr1OxmiGKkU2uB8Mnx+KLgMjDkV/9uf
+dApxPsqGgtDbETt1RYRrRKGW8S2YSQ61Kmf9Ce5Ewd+pcv3KRxhmerfAf6AwypD
DhiXacDlm0kjH02fWFbddMKQoL4IxbRmLV8cJSRI6mJ45Fi+r+SlLa2/g7PUxOg=
=NqSU
----END PGP SIGNATURE----