-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.6.13
and 2.7.10.

Description:

UsernameTokens are sent in plaintext, i.e. not encrypted, by a CXF client that
uses a SymmetricBinding with EncryptBeforeSigning enabled, and a UsernameToken
policy that is a *EncryptedSupportingToken. No other binding is affected, and
SignBeforeEncrypting is not affected either.

This has been fixed in revisions:

http://svn.apache.org/viewvc?view=revision&revision=1564724

Migration:

Although this vulnerability has been fixed in CXF 2.6.13 and 2.7.10, due to 
other security advisories it is recommended to upgrade to the following
releases:

CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.

References: http://cxf.apache.org/security-advisories.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJTPq+aAAoJEGe/gLEK1TmDr+YH/2444g2JjtGPNO3vOD3VQPQU
9O19UYQEhIuCw/fupz443Jgbk7UFBD7YbcgOTx/5j0n7WKsPHSJ4p7U5vjOQ0jKQ
t+8azHqaD/OvkVTfz/gi58BwD77vAzSc/yrKgjuZl+3Yc6+Sljehi2CsLFXOzlH+
C353baE/4uCTgW9varZGcFc3b7yi4GA47D9oz8vU7sTVJMzWC67+rQs9GCSp61El
eOyN+4PE4gpFUbiuQqiprwNIb4y52JrY7ew94QbzDhLi+dJdH4w1FlOUUX6MXqqX
nBC56gEyuqImiRdfGqfwQd5G53/SEhZEsGl3XchixKFEzyIIwu+0FuOpMQ4/RwE=
=DEQg
-----END PGP SIGNATURE-----