Tuesday, April 18, 2017

Apache CXF 3.1.11 released

Apache CXF 3.1.11 (and 3.0.13) has been released. This release fixes a large number of bugs (there are over a 100 issues fixed in the CXF JIRA for this release). From a security POV, here are some of the more notable bug fixes and changes:
  • CXF-7315 - Abstract the STS client token caching behaviour to allow the user to plug in a custom implementation
  • CXF-7296 - Add support to enable revocation for TLS via configuration (see here). 
  • CXF-7314 - Custom BinarySecurityTokens are not used to set up the security context
  • CXF-4692 - Allow customization of Request Security Token Response
  • CXF-7252 - TLSParameterJaxBUtils.getTrustManagers getting password from wrong system property
In addition, two new security advisories have been issued for bugs fixed in this release:
  • CVE-2017-5653 - Apache CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted.
  • CVE-2017-5656 - Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens.
Please update to the latest releases if you are affected by either of these issues.