Two new security advisories have been released for Apache CXF, please see the CXF security advisories
page for the details:
Apache CXF does not properly enforce the security semantics of SAML
SubjectConfirmation methods when used with the TransportBinding
- CVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS) attack
If you are using SAML SSO or else SAML tokens with the WS-SecurityPolicy Transport binding you should upgrade to either CXF 2.7.13 or 3.0.2.
Post a Comment