CVE-2014-0035
First published: Fri May 02 2014(Updated: )
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.cxf:cxf-core | >=2.7.0<2.7.10 | 2.7.10 |
| maven/org.apache.cxf:cxf-core | <2.6.13 | 2.6.13 |
| redhat/cxf | <2.6.14 | 2.6.14 |
| redhat/cxf | <2.7.11 | 2.7.11 |
| Apache CXF | <=2.6.12 | |
| Apache CXF | =2.6.0 | |
| Apache CXF | =2.6.1 | |
| Apache CXF | =2.6.2 | |
| Apache CXF | =2.6.3 | |
| Apache CXF | =2.6.4 | |
| Apache CXF | =2.6.5 | |
| Apache CXF | =2.6.6 | |
| Apache CXF | =2.6.7 | |
| Apache CXF | =2.6.8 | |
| Apache CXF | =2.6.9 | |
| Apache CXF | =2.6.10 | |
| Apache CXF | =2.6.11 | |
| Apache CXF | =2.7.0 | |
| Apache CXF | =2.7.1 | |
| Apache CXF | =2.7.2 | |
| Apache CXF | =2.7.3 | |
| Apache CXF | =2.7.4 | |
| Apache CXF | =2.7.5 | |
| Apache CXF | =2.7.6 | |
| Apache CXF | =2.7.7 | |
| Apache CXF | =2.7.8 | |
| Apache CXF | =2.7.9 | |
| JBoss Enterprise Application Platform | =6.0.0 | |
| JBoss Enterprise Application Platform | =6.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.asc
- http://svn.apache.org/viewvc?view=revision&revision=1564724
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1095534
- https://rhn.redhat.com/errata/RHSA-2014-0797.html
- https://rhn.redhat.com/errata/RHSA-2014-0798.html
- https://rhn.redhat.com/errata/RHSA-2014-0799.html
- https://rhn.redhat.com/errata/RHSA-2014-1351.html
- https://rhn.redhat.com/errata/RHSA-2015-0851.html
- https://rhn.redhat.com/errata/RHSA-2015-0850.html
- https://rhn.redhat.com/errata/RHSA-2015-1009.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1093530
- http://rhn.redhat.com/errata/RHSA-2014-0797.html
- http://rhn.redhat.com/errata/RHSA-2014-0798.html
- http://rhn.redhat.com/errata/RHSA-2014-0799.html
- http://rhn.redhat.com/errata/RHSA-2014-1351.html
- http://rhn.redhat.com/errata/RHSA-2015-0850.html
- http://rhn.redhat.com/errata/RHSA-2015-0851.html
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2014-0035
- https://github.com/apache/cxf/commit/2d2fd1bf67dc2247b6aca31b83a571d865fad1c9
- https://github.com/apache/cxf/commit/d249721708694cbb0f431c0658166ebdcb02ec15
- https://github.com/advisories/GHSA-v45r-rj5x-hpg2 (Advisory)
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2014-0035?
CVE-2014-0035 has a medium severity as it allows sensitive information to be transmitted in cleartext.
How do I fix CVE-2014-0035?
To fix CVE-2014-0035, you should upgrade to Apache CXF version 2.6.13 or 2.7.10, or later.
What versions of Apache CXF are affected by CVE-2014-0035?
CVE-2014-0035 affects Apache CXF versions prior to 2.6.13 and 2.7.x versions before 2.7.10.
What is the impact of CVE-2014-0035?
The impact of CVE-2014-0035 is that it may expose username tokens to attackers, leading to unauthorized access.
Is there a workaround for CVE-2014-0035 if I cannot upgrade?
There is no specific workaround for CVE-2014-0035; upgrading to a patched version is recommended.
- collector/github-advisory-latest
- alias/GHSA-v45r-rj5x-hpg2
- alias/CVE-2014-0035
- collector/github-advisory
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/references
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/author
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- package-manager/maven
- package-manager/redhat
- vendor/apache
- canonical/apache cxf
- version/apache cxf/2.6.12
- version/apache cxf/2.6.0
- version/apache cxf/2.6.1
- version/apache cxf/2.6.2
- version/apache cxf/2.6.3
- version/apache cxf/2.6.4
- version/apache cxf/2.6.5
- version/apache cxf/2.6.6
- version/apache cxf/2.6.7
- version/apache cxf/2.6.8
- version/apache cxf/2.6.9
- version/apache cxf/2.6.10
- version/apache cxf/2.6.11
- version/apache cxf/2.7.0
- version/apache cxf/2.7.1
- version/apache cxf/2.7.2
- version/apache cxf/2.7.3
- version/apache cxf/2.7.4
- version/apache cxf/2.7.5
- version/apache cxf/2.7.6
- version/apache cxf/2.7.7
- version/apache cxf/2.7.8
- version/apache cxf/2.7.9
- vendor/redhat
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/6.0.0
- version/jboss enterprise application platform/6.2.0