-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


CVE-2018-8038: Apache CXF Fediz is vulnerable to DTD based XML attacks

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF Fediz prior to 1.4.4.

Description:

Apache CXF Fediz is a subproject of Apache CXF which implements the
WS-Federation Passive Requestor Profile for SSO specification.

In 2015, a security advisory CVE-2015-5175 was issued for Apache CXF Fediz, 
titled "Apache CXF Fediz application plugins are vulnerable to Denial of
Service (DoS) attacks". This was due to the fact that Document Type
Declarations (DTDs) were not disabled when parsing the response from the
Identity Provider (IdP).

The fix for advisory CVE-2015-5175 in Apache CXF Fediz 1.1.3 and 1.2.1 
prevented DoS style attacks via DTDs. However, it did not fully disable DTDs,
meaning that the Fediz plugins could potentially be subject to a DTD-based
XML attack.

In addition, the Apache CXF Fediz IdP is also potentially subject to DTD-based
XML attacks for some of the WS-Federation request parameters.

This has been fixed in revision:

https://github.com/apache/cxf-fediz/commit/b6ed9865d0614332fa419fe4b6d0fe81bc2e660d

Migration:

Apache CXF Fediz users should upgrade to 1.4.4 as soon as possible.

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAlsxFaUACgkQZ7+AsQrV
OYN7twf/VcGsHyJ+bRLsrWQ4+/BpgdpoSlzcPDANP9F8iC5yeRV0V55qBL+lg+7K
SD0TWN8OMj4YRp/gRfI6PvupJgYmYqr3lxDM48Po3pRb8TMJ3oEtvNTr2YxcewAI
DClxo4AJbzt8NV4b97CLqXx6rkVEBnkQkRkMLoGXc/rLFaEfv64N/bR2j08G1Kki
6BDceh0mCk9H+Ed9TdrhBUNRnHJw5PT7rS3Pl7TLmOArg//uUtG7MWS7zPs88e8M
fWKJsp33xejpLBEBq8jmAprsghOHipAmS7d7DeE9s19qhz75+mRDSG2LxgfVoK/h
wDfD644TjzJTWRKqmOyY88ilPWcASw==
=Xc7e
-----END PGP SIGNATURE-----