CVE-2017-5656
First published: Tue Apr 18 2017(Updated: )
An Apache CXF endpoint can be used as an intermediary, where a token credential from the received message is used as a delegation token to obtain a new token from a Security Token Service (STS) for the outbound request. By default, the token retrieved from the STS is cached and associated with the delegation token via an identifier extracted from the delegation token. However, there is a weakness in how the identifier is extracted from the delegation token, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. External References: <a href="http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc">http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc</a> Upstream patch: <a href="https://github.com/apache/cxf/commit/66c2c5b99e01a2165a2c5ed9ae34b4b9a512cb39">https://github.com/apache/cxf/commit/66c2c5b99e01a2165a2c5ed9ae34b4b9a512cb39</a>
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cxf | <3.1.11 | 3.1.11 |
| redhat/cxf | <3.0.13 | 3.0.13 |
| Apache CXF | >=3.0.0<3.0.13 | |
| Apache CXF | >=3.1.0<3.1.11 | |
| maven/org.apache.cxf:cxf-core | <=3.0.12 | 3.0.13 |
| maven/org.apache.cxf:cxf-core | >=3.1.0<=3.1.10 | 3.1.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-5656
- https://access.redhat.com/errata/RHSA-2017:1832
- https://access.redhat.com/errata/RHSA-2018:1694
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc?version=1&modificationDate=1492515113282&api=v2
- http://www.securityfocus.com/bid/97971
- http://www.securitytracker.com/id/1038282
- https://github.com/apache/cxf/commit/1a4fe22fc297f8be204788bcdfcd498e91201a01
- https://github.com/advisories/GHSA-v936-x3j5-c76j (Advisory)
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc
- https://github.com/apache/cxf/commit/66c2c5b99e01a2165a2c5ed9ae34b4b9a512cb39
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1445335
- https://bugzilla.redhat.com/show_bug.cgi?id=1445329
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-v936-x3j5-c76j
- alias/CVE-2017-5656
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- agent/event
- agent/description
- agent/trending
- agent/tags
- agent/source
- vendor/apache
- canonical/apache cxf
- version/apache cxf/3.0.0
- version/apache cxf/3.1.0
- package-manager/maven
- package-manager/redhat