Thursday, June 7, 2012

New security vulnerabilities in Apache CXF

Two new security vulnerabilities have been announced in Apache CXF. Those of you using WS-SecurityPolicy should read the announcements carefully to make sure that you are not affected. If these vulnerabilities apply to your deployment then you should upgrade to a more recent version of CXF that contains fixes for these vulnerabilities. The issues in question are:
  • CVE-2012-2378 - Apache CXF does not pick up some child policies of
    WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client
  • CVE-2012-2379 - Apache CXF does not verify that elements were
    signed or encrypted by a particular Supporting Token.


No comments:

Post a Comment