CVE-2017-5656
First published: Tue Apr 18 2017(Updated: )
An Apache CXF endpoint can be used as an intermediary, where a token credential from the received message is used as a delegation token to obtain a new token from a Security Token Service (STS) for the outbound request. By default, the token retrieved from the STS is cached and associated with the delegation token via an identifier extracted from the delegation token. However, there is a weakness in how the identifier is extracted from the delegation token, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. External References: <a href="http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc">http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc</a> Upstream patch: <a href="https://github.com/apache/cxf/commit/66c2c5b99e01a2165a2c5ed9ae34b4b9a512cb39">https://github.com/apache/cxf/commit/66c2c5b99e01a2165a2c5ed9ae34b4b9a512cb39</a>
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cxf | <3.1.11 | 3.1.11 |
| redhat/cxf | <3.0.13 | 3.0.13 |
| Apache CXF | >=3.0.0<3.0.13 | |
| Apache CXF | >=3.1.0<3.1.11 | |
| maven/org.apache.cxf:cxf-core | <=3.0.12 | 3.0.13 |
| maven/org.apache.cxf:cxf-core | >=3.1.0<=3.1.10 | 3.1.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-5656
- https://access.redhat.com/errata/RHSA-2017:1832
- https://access.redhat.com/errata/RHSA-2018:1694
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc?version=1&modificationDate=1492515113282&api=v2
- http://www.securityfocus.com/bid/97971
- http://www.securitytracker.com/id/1038282
- https://github.com/apache/cxf/commit/1a4fe22fc297f8be204788bcdfcd498e91201a01
- https://github.com/advisories/GHSA-v936-x3j5-c76j (Advisory)
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc
- https://github.com/apache/cxf/commit/66c2c5b99e01a2165a2c5ed9ae34b4b9a512cb39
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1445335
- https://bugzilla.redhat.com/show_bug.cgi?id=1445329
Frequently Asked Questions
What is the severity of CVE-2017-5656?
CVE-2017-5656 is considered a moderate severity vulnerability due to its potential impact on security token management.
How do I fix CVE-2017-5656?
To fix CVE-2017-5656, upgrade Apache CXF to version 3.1.11 or later, or to 3.0.13 or later if using older versions.
Which versions of Apache CXF are affected by CVE-2017-5656?
CVE-2017-5656 affects Apache CXF versions from 3.0.0 up to 3.0.13 and 3.1.0 up to 3.1.11.
Is CVE-2017-5656 related to security token services?
Yes, CVE-2017-5656 involves the misuse of token credentials in the context of delegation tokens for security token services.
What type of software does CVE-2017-5656 impact?
CVE-2017-5656 impacts software that utilizes the Apache CXF framework for web services.
- collector/github-advisory-latest
- alias/GHSA-v936-x3j5-c76j
- alias/CVE-2017-5656
- collector/github-advisory
- agent/author
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/maven
- package-manager/redhat
- vendor/apache
- canonical/apache cxf
- version/apache cxf/3.0.0
- version/apache cxf/3.1.0