Apache CXF WSS4JInInterceptor always allows HTTP Get requests

2013.02.11
Credit: Apache
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

CVE-2012-5633: WSS4JInInterceptor always allows HTTP Get requests from browser Severity: Critical Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Apache CXF prior to 2.5.8, 2.6.5 and 2.7.2. CXF 2.7.1 is not affected by default, however the vulnerability exists if you are explicitly adding the URIMappingInterceptor to the default chain. Description: The URIMappingInterceptor in CXF is a legacy interceptor that allows some basic "rest style" access to a simple SOAP service. The functionality provided by this interceptor has since been replaced by the JAX-RS standard. An example of how this interceptor works is as follows. A simple "double it" webservice is defined as: @WebService(name = "DoubleItPortType") public interface DoubleItPortType Unknown macro: { @WebMethod(operationName = "DoubleIt") public int doubleIt( @WebParam(name = "numberToDouble") int numberToDouble ); } The URIMappingInterceptor can allow a REST client access the service via a GET request to a URL like: http://localhost:8080/DoubleItPort/DoubleIt&numberToDouble=20 The vulnerability is when a simple SOAP service is secured with the WSS4JInInterceptor, which enables WS-Security processing of the request. WS-Security processing is completely by-passed in the case of a HTTP GET request, and so access to the service can be enabled by the URIMappingInterceptor. This is a critical vulnerability if you are using a WS-Security UsernameToken or a SOAP message signature via the WSS4JInInterceptor to authenticate users for a simple SOAP service. Please note that this advisory does not apply if you are using WS-SecurityPolicy to secure the service, as the relevant policies will not be asserted. Also note that this attack is only applicable to relatively simple services that can be mapped to a URI via the URIMappingInterceptor. This has been fixed in revisions: http://svn.apache.org/viewvc?view=revision&revision=1409324 http://svn.apache.org/viewvc?view=revision&revision=1420698 Migration: Although this issue is fixed in CXF 2.5.8, 2.6.5 and 2.7.2, due to a separate security vulnerability (CVE-2013-0239), CXF users should upgrade to the following versions: Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3. CXF 2.5.x users should upgrade to 2.5.9 as soon as possible. CXF 2.6.x users should upgrade to 2.6.6 as soon as possible. CXF 2.7.x users should upgrade to 2.7.3 as soon as possible. References: http://cxf.apache.org/security-advisories.html

References:

http://cxf.apache.org/security-advisories.html
http://svn.apache.org/viewvc?view=revision&revision=1409324
http://svn.apache.org/viewvc?view=revision&revision=1420698


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top