-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2017-7661: The Apache CXF Fediz Jetty and Spring plugins are vulnerable to CSRF attacks.

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF Fediz prior to 1.4.0,
1.3.2 and 1.2.4.

Description:

Apache CXF Fediz ships with a number of container-specific plugins to enable
WS-Federation for applications. A CSRF (Cross Style Request Forgery) style
vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9
plugins. The vulnerability can result in a security context set up using a
malicious client's roles for the given enduser. The Apache CXF and Tomcat
plugins are not vulnerable to these attacks.

For both the Spring plugins and the Jetty plugins, the attack relies on the
client starting the authentication process, but not completing it (such as when
the IdP is unavailable for example). In addition, the Jetty plugins are
vulnerable even if the end-user completes the authentication process, but the
scope of the attack is limited to the root context address.

This has been fixed in revision:

https://github.com/apache/cxf-fediz/commit/acdbe8c213576792dd95d87315bcc181ea61b57f

Migration:

Apache CXF Fediz users should upgrade to 1.4.0, 1.3.2 or 1.2.4 as soon as 
possible if they are using either of the Jetty 8, Jetty 9, Spring 2 or Spring
3 plugins.
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJZGxuFAAoJEGe/gLEK1TmDuKsH/1JJA5BwgqjmVkGXLzVIswIq
KtgtfgWBdxTdLnB8/zJyw/EMt0dDZf/92/8gJxbI3fMolhEOs6cttsaVQB/JFuLf
UoU5nL2F/POGY+e+Yr67MA0VnMI4BesDer/sp37uN6TlJrhoerfxa1jaWDRSBiUt
N/KSbTkwnFUETOQu89jLphEb9PfXON0C1WAE5smTKkFcODILLR8+9VTDIsZ7vbb/
qg9FEyNFmRDazEUe9Y2YPYvOrl5et8hTMRDmoV4CFlWiFmqmVYr9+4W9L2K7ZPkZ
a+nJG0bMbaimWAz2fdYLRGsSEQDIKddaJRon4MSRlXz7qMw45+pdKyaNC+eH15U=
=/EWH
-----END PGP SIGNATURE-----