-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2017-7662: The Apache CXF Fediz OIDC Client Registration Service is vulnerable to CSRF attacks

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF Fediz prior to 1.4.0
and 1.3.2.

Description:

Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a 
Client Registration Service, which is a simple web application that allows
clients to be created, deleted, etc.

A CSRF (Cross Style Request Forgery) style vulnerability has been found in
this web application, meaning that a malicious web application could create
new clients, or reset secrets, etc, after the admin user has logged on to
the client registration service and the session is still active.

This has been fixed in revision:

https://github.com/apache/cxf-fediz/commit/c68e4820816c19241568f4a8fe8600bffb0243cd

Migration:

Apache CXF Fediz users should upgrade to 1.4.0 or 1.3.2 as soon as possible if
they are using the OIDC service.

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJZGxuZAAoJEGe/gLEK1TmD5MMIALGewMKkFQ9XM/Um1pmKx8Mk
i9+HdFAcYjKrAJn4NK51i3Lwvc/2N0O/WoUS4TvqHK+bVue5MlPStqjwxq/2/qEd
y7SM2Fq7FYbPQ97spj7X67Hx7K2CWt4EFqj91tx9Tds4HJkzEmptAa3kDLa2RUw2
tu1VCYtl4OXaWst6E6T/FlcGrpL5BahJNwMIfArK2kgNzBMLyFpOjeIbKKThZMWS
j/k7ziCQOpwGlRQmAIhQJJOwBh9B69LiStG8X6P5H4EqqMo5GjaMKAwQhxnhNCzb
7mGICtILzUa1B7gBQpF3WJFiOEG7FkLL1fkbPe/Rqw9UHxfGbHXQ7Iof6hQbJBU=
=Cz7P
-----END PGP SIGNATURE-----