CVE-2014-0035
First published: Fri May 02 2014(Updated: )
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache CXF | <=2.6.12 | |
| Apache CXF | =2.6.0 | |
| Apache CXF | =2.6.1 | |
| Apache CXF | =2.6.2 | |
| Apache CXF | =2.6.3 | |
| Apache CXF | =2.6.4 | |
| Apache CXF | =2.6.5 | |
| Apache CXF | =2.6.6 | |
| Apache CXF | =2.6.7 | |
| Apache CXF | =2.6.8 | |
| Apache CXF | =2.6.9 | |
| Apache CXF | =2.6.10 | |
| Apache CXF | =2.6.11 | |
| Apache CXF | =2.7.0 | |
| Apache CXF | =2.7.1 | |
| Apache CXF | =2.7.2 | |
| Apache CXF | =2.7.3 | |
| Apache CXF | =2.7.4 | |
| Apache CXF | =2.7.5 | |
| Apache CXF | =2.7.6 | |
| Apache CXF | =2.7.7 | |
| Apache CXF | =2.7.8 | |
| Apache CXF | =2.7.9 | |
| Redhat Jboss Enterprise Application Platform | =6.0.0 | |
| Redhat Jboss Enterprise Application Platform | =6.2.0 | |
| maven/org.apache.cxf:cxf-core | >=2.7.0<2.7.10 | 2.7.10 |
| maven/org.apache.cxf:cxf-core | <2.6.13 | 2.6.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.asc
- http://svn.apache.org/viewvc?view=revision&revision=1564724
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1095534
- https://rhn.redhat.com/errata/RHSA-2014-0797.html
- https://rhn.redhat.com/errata/RHSA-2014-0798.html
- https://rhn.redhat.com/errata/RHSA-2014-0799.html
- https://rhn.redhat.com/errata/RHSA-2014-1351.html
- https://rhn.redhat.com/errata/RHSA-2015-0851.html
- https://rhn.redhat.com/errata/RHSA-2015-0850.html
- https://rhn.redhat.com/errata/RHSA-2015-1009.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1093530
- http://rhn.redhat.com/errata/RHSA-2014-0797.html
- http://rhn.redhat.com/errata/RHSA-2014-0798.html
- http://rhn.redhat.com/errata/RHSA-2014-0799.html
- http://rhn.redhat.com/errata/RHSA-2014-1351.html
- http://rhn.redhat.com/errata/RHSA-2015-0850.html
- http://rhn.redhat.com/errata/RHSA-2015-0851.html
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2014-0035
- https://github.com/apache/cxf/commit/2d2fd1bf67dc2247b6aca31b83a571d865fad1c9
- https://github.com/apache/cxf/commit/d249721708694cbb0f431c0658166ebdcb02ec15
- https://github.com/advisories/GHSA-v45r-rj5x-hpg2 (Advisory)
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-v45r-rj5x-hpg2
- alias/CVE-2014-0035
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/references
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/tags
- agent/trending
- vendor/apache
- canonical/apache cxf
- version/apache cxf/2.6.12
- version/apache cxf/2.6.0
- version/apache cxf/2.6.1
- version/apache cxf/2.6.2
- version/apache cxf/2.6.3
- version/apache cxf/2.6.4
- version/apache cxf/2.6.5
- version/apache cxf/2.6.6
- version/apache cxf/2.6.7
- version/apache cxf/2.6.8
- version/apache cxf/2.6.9
- version/apache cxf/2.6.10
- version/apache cxf/2.6.11
- version/apache cxf/2.7.0
- version/apache cxf/2.7.1
- version/apache cxf/2.7.2
- version/apache cxf/2.7.3
- version/apache cxf/2.7.4
- version/apache cxf/2.7.5
- version/apache cxf/2.7.6
- version/apache cxf/2.7.7
- version/apache cxf/2.7.8
- version/apache cxf/2.7.9
- vendor/redhat
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/6.0.0
- version/redhat jboss enterprise application platform/6.2.0
- package-manager/maven
- package-manager/redhat