CVE-2013-0239: Authentication bypass in the case of WS-SecurityPolicy enabled
plaintext UsernameTokens.
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected:
This vulnerability affects all versions of Apache CXF prior to 2.5.9, 2.6.6
and 2.7.3.
Description:
The following WS-SecurityPolicy 1.3 fragment requires that a WS-Security
UsernameToken must be present in the security header of a SOAP request:
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
If a UsernameToken element is sent with no password child element, then a
policy similar to the policy defined above will completely bypass
authentication by default. This is due to the use-case of supporting deriving
keys from a UsernameToken, where a password element would not be sent in the
token.
The vulnerability does not apply in any of the following circumstances:
a) You are using a custom UsernameTokenValidator which does not allow the
'verifyUnknownPassword' use-case, or that otherwise insists that a password
must be present in the token (such as the 'JAASUsernameTokenValidator' in
WSS4J).
b) You are using a 'sp:HashPassword' policy that requires a hashed password
to be present in the token.
c) You are using the older style of configuring WS-Security without using
WS-SecurityPolicy.
If you are relying on WS-SecurityPolicy enabled plaintext UsernameTokens to
authenticate users, and if neither points a) nor b) apply, then you must
upgrade to a fixed version of CXF (see below), or else configure a custom
UsernameTokenValidator implementation to insist that a password element must
be present.
The fix has been to require a password element in the case of a (non-endorsing)
SupportingToken.
This has been fixed in revisions:
http://svn.apache.org/viewvc?view=revision&revision=1438424
Migration:
Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.
CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.
CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.
CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.
References: http://cxf.apache.org/security-advisories.html