CVE-2017-5653
First published: Tue Apr 18 2017(Updated: )
Apache CXF supports the ability to use XML Signature and encryption to secure JAX-RS services. Two different implementations are available, a DOM based approach that works on a model of the message in memory before applying security, and a streaming based implementation that is a useful alternative for larger messages. There is a bug in validating messages for JAX-RS clients using the streaming approach, where it will not enforce that the message is signed and/or encrypted. An exception is thrown in these cases but not properly propagated to the client code. The bug does not apply for the DOM clients and it does not apply for the streaming server side case. External References: <a href="http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc">http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc</a> Upstream patch: <a href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165">https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165</a>
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cxf | <3.1.11 | 3.1.11 |
| redhat/cxf | <3.0.13 | 3.0.13 |
| Apache CXF | >=3.0.0<=3.0.13 | |
| Apache CXF | >=3.1.0<=3.1.11 | |
| maven/org.apache.cxf:cxf-core | <=3.0.12 | 3.0.13 |
| maven/org.apache.cxf:cxf-core | >=3.1.0<=3.1.10 | 3.1.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-5653
- https://access.redhat.com/errata/RHSA-2017:1832
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074710&api=v2
- https://github.com/apache/cxf/commit/20d0fa3ec41c16c52b74dcc006f9d9ea212fa80f
- https://github.com/advisories/GHSA-hgg6-8x62-m9gf (Advisory)
- http://www.securityfocus.com/bid/97968
- http://www.securitytracker.com/id/1038279
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc
- https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1445335
- https://bugzilla.redhat.com/show_bug.cgi?id=1445327
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-hgg6-8x62-m9gf
- alias/CVE-2017-5653
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/tags
- agent/description
- agent/event
- agent/trending
- vendor/apache
- canonical/apache cxf
- version/apache cxf/3.0.0
- version/apache cxf/3.0.13
- version/apache cxf/3.1.0
- version/apache cxf/3.1.11
- package-manager/maven
- package-manager/redhat