CVE-2017-5653
First published: Tue Apr 18 2017(Updated: )
Apache CXF supports the ability to use XML Signature and encryption to secure JAX-RS services. Two different implementations are available, a DOM based approach that works on a model of the message in memory before applying security, and a streaming based implementation that is a useful alternative for larger messages. There is a bug in validating messages for JAX-RS clients using the streaming approach, where it will not enforce that the message is signed and/or encrypted. An exception is thrown in these cases but not properly propagated to the client code. The bug does not apply for the DOM clients and it does not apply for the streaming server side case. External References: <a href="http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc">http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc</a> Upstream patch: <a href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165">https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165</a>
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cxf | <3.1.11 | 3.1.11 |
| redhat/cxf | <3.0.13 | 3.0.13 |
| Apache CXF | >=3.0.0<=3.0.13 | |
| Apache CXF | >=3.1.0<=3.1.11 | |
| maven/org.apache.cxf:cxf-core | <=3.0.12 | 3.0.13 |
| maven/org.apache.cxf:cxf-core | >=3.1.0<=3.1.10 | 3.1.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-5653
- https://access.redhat.com/errata/RHSA-2017:1832
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074710&api=v2
- https://github.com/apache/cxf/commit/20d0fa3ec41c16c52b74dcc006f9d9ea212fa80f
- https://github.com/advisories/GHSA-hgg6-8x62-m9gf (Advisory)
- http://www.securityfocus.com/bid/97968
- http://www.securitytracker.com/id/1038279
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc
- https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=fade9b81dabe27f864ca38e7b40f28fb44d6f165
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1445335
- https://bugzilla.redhat.com/show_bug.cgi?id=1445327
Frequently Asked Questions
What is the severity of CVE-2017-5653?
CVE-2017-5653 is classified as a moderate severity vulnerability.
How do I fix CVE-2017-5653?
To fix CVE-2017-5653, upgrade Apache CXF to version 3.1.11 or 3.0.13.
What versions of Apache CXF are affected by CVE-2017-5653?
CVE-2017-5653 affects Apache CXF versions between 3.0.0 and 3.0.13 as well as between 3.1.0 and 3.1.11.
What types of services does CVE-2017-5653 impact?
CVE-2017-5653 impacts JAX-RS services that utilize XML Signature and encryption in Apache CXF.
Is CVE-2017-5653 specific to any particular software environment?
CVE-2017-5653 is relevant primarily to environments running Apache CXF for web services.
- collector/github-advisory-latest
- alias/GHSA-hgg6-8x62-m9gf
- alias/CVE-2017-5653
- collector/github-advisory
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/event
- agent/trending
- agent/description
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/maven
- package-manager/redhat
- vendor/apache
- canonical/apache cxf
- version/apache cxf/3.0.0
- version/apache cxf/3.0.13
- version/apache cxf/3.1.0
- version/apache cxf/3.1.11