New security advisories released for Apache CXF

Hash: SHA1

CVE-2014-3623: Apache CXF does not properly enforce the security semantics of
SAML SubjectConfirmation methods when used with the TransportBinding

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.7.13 and
3.0.2.

Description:

There are different security requirements associated with SAML
SubjectConfirmation methods. These security requirements are not properly
enforced in Apache CXF when used with the TransportBinding, leaving endpoints
that rely on SAML for authentication vulnerable to types of spoofing attacks.

This has been fixed in revisions (in Apache WSS4J):

http://svn.apache.org/viewvc?view=revision&revision=1624308
http://svn.apache.org/viewvc?view=revision&revision=1624287
http://svn.apache.org/viewvc?view=revision&revision=1624262

Migration:

CXF 2.7.x users should upgrade to 2.7.13 or later as soon as possible.
CXF 3.0.x users should upgrade to 3.0.2 or later as soon as possible.

Credit: This issue was reported by Dario Amiri (GE Global Research)

References: http://cxf.apache.org/security-advisories.html