Tuesday, April 18, 2017

Apache CXF 3.1.11 released

Apache CXF 3.1.11 (and 3.0.13) has been released. This release fixes a large number of bugs (there are over a 100 issues fixed in the CXF JIRA for this release). From a security POV, here are some of the more notable bug fixes and changes:
  • CXF-7315 - Abstract the STS client token caching behaviour to allow the user to plug in a custom implementation
  • CXF-7296 - Add support to enable revocation for TLS via configuration (see here). 
  • CXF-7314 - Custom BinarySecurityTokens are not used to set up the security context
  • CXF-4692 - Allow customization of Request Security Token Response
  • CXF-7252 - TLSParameterJaxBUtils.getTrustManagers getting password from wrong system property
In addition, two new security advisories have been issued for bugs fixed in this release:
  • CVE-2017-5653 - Apache CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted.
  • CVE-2017-5656 - Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens.
Please update to the latest releases if you are affected by either of these issues.


  1. This comment has been removed by the author.

  2. Please ask on the CXF users mailing list instead.