CVE-2012-5633: WSS4JInInterceptor always allows HTTP Get requests from browser
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected:
This vulnerability affects all versions of Apache CXF prior to 2.5.8, 2.6.5
and 2.7.2. CXF 2.7.1 is not affected by default, however the vulnerability
exists if you are explicitly adding the URIMappingInterceptor to the default
chain.
Description:
The URIMappingInterceptor in CXF is a legacy interceptor that allows some basic
"rest style" access to a simple SOAP service. The functionality provided by
this interceptor has since been replaced by the JAX-RS standard.
An example of how this interceptor works is as follows. A simple "double it"
webservice is defined as:
@WebService(name = "DoubleItPortType")
public interface DoubleItPortType
Unknown macro: { @WebMethod(operationName = "DoubleIt") public int doubleIt( @WebParam(name = "numberToDouble") int numberToDouble ); }
The URIMappingInterceptor can allow a REST client access the service via a GET
request to a URL like:
http://localhost:8080/DoubleItPort/DoubleIt&numberToDouble=20
The vulnerability is when a simple SOAP service is secured with the
WSS4JInInterceptor, which enables WS-Security processing of the request.
WS-Security processing is completely by-passed in the case of a HTTP GET
request, and so access to the service can be enabled by the
URIMappingInterceptor.
This is a critical vulnerability if you are using a WS-Security UsernameToken
or a SOAP message signature via the WSS4JInInterceptor to authenticate users
for a simple SOAP service. Please note that this advisory does not apply if
you are using WS-SecurityPolicy to secure the service, as the relevant policies
will not be asserted. Also note that this attack is only applicable to
relatively simple services that can be mapped to a URI via the
URIMappingInterceptor.
This has been fixed in revisions:
http://svn.apache.org/viewvc?view=revision&revision=1409324 http://svn.apache.org/viewvc?view=revision&revision=1420698
Migration:
Although this issue is fixed in CXF 2.5.8, 2.6.5 and 2.7.2, due to a separate
security vulnerability (CVE-2013-0239), CXF users should upgrade to the
following versions:
Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.
CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.
CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.
CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.
References: http://cxf.apache.org/security-advisories.html