-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2016-4464: Apache CXF Fediz application plugins do not match the SAML
AudienceRestriction values against the list of configured audience URIs.

Severity: Minor

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects Apache CXF Fediz 1.2.0, 1.2.1, 1.2.2 and 1.3.0.

Description:

Apache CXF Fediz is a subproject of Apache CXF which implements the
WS-Federation Passive Requestor Profile for SSO specification. It provides a
number of container based plugins to enable SSO for Relying Party applications.
It is possible to configure a list of audience URIs for the plugins, against
which the AudienceRestriction values of the received SAML tokens are supposed
to be matched. However, this matching does not actually take place.

This means that a token could be accepted by the application plugin (assuming
that the signature is trusted) that is targeted for another service, something
that could potentially be exploited by an attacker.

This has been fixed in revision:

https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=commit;h=0006581e9cacbeef46381a223e5671e524d416b6

Migration:

Fediz 1.1.x users are not effected by this vulnerability.
Fediz 1.2.x users should upgrade to 1.2.3 or later as soon as possible.
Fediz 1.3.x users should upgrade to 1.3.1 or later as soon as possible.

References: http://cxf.apache.org/security-advisories.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJX0YdhAAoJEGe/gLEK1TmDiwcH/ihVpJqEM1vFOqxAOxMJ7mHp
jNyyF6v/iE++4p5/gPIaJj8ULlqZb1jFs2kU2x6WF+YWAVoCzjF719Kp5a/nAL5N
7BiUbH9Knio+hRiQvgBKXxNOhGUt+cFvJJK72EKv32KIZtmMjQJVTYL+dChKEOv1
361dCDWCIZBU1EqoYnkd6eN9wuV64P+jSu3nylhztt3Vas7lfGevVw4kG5zm9B35
2vZ3EylaxMjC4j7QjLl3KdOyCgXfSOYK2gdGJdIvBwiI5Nc1jH+wCP9+Q3O9ABUP
oq5pUgWrFxyJT9oxYBTm6Vfoh1N28UU4OLksyhiwmVIbMlg4clGqSXpQ6KINN18=
=2TfQ
-----END PGP SIGNATURE-----