Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): [security] bump version.cxf from 2.7.2 to 3.3.0 #54

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

build(deps): [security] bump version.cxf from 2.7.2 to 3.3.0 #54

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps version.cxf from 2.7.2 to 3.3.0.

Updates cxf-rt-frontend-jaxrs from 2.7.2 to 3.3.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Sonatype OSS Index.

[CVE-2014-3623] Improper Authentication
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

Affected versions: [2.7.0, 2.7.13]; [3.0.0, 3.0.2)

Sourced from The Sonatype OSS Index.

[CVE-2012-5575] Cryptographic Issues
Apache CFX 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."

Affected versions: [2.5.0, 2.5.9]; [2.6.0, 2.6.6]; [2.7.0, 2.7.3]

Sourced from The Sonatype OSS Index.

[CVE-2017-3156] The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3...
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

Affected versions: (, 3.0.12]; [3.1.0, 3.1.9]

Sourced from The Sonatype OSS Index.

[CVE-2017-5656] Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tok...
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

Affected versions: (, 3.0.12]; (, 3.1.10]

Sourced from The Sonatype OSS Index.

[CVE-2016-8739] Improper Restriction of XML External Entity Reference ("XXE")
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

Affected versions: (, 3.0.11]; [3.1.0, 3.1.8]

Sourced from The Sonatype OSS Index.

[CVE-2016-6812] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.

Affected versions: (, 3.0.11]; [3.1.0, 3.1.8]

Sourced from The Sonatype OSS Index.

[CVE-2015-5253] Permissions, Privileges, and Access Controls
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."

Affected versions: (, 2.7.17]; (, 3.0.6]; (, 3.1.2]

Sourced from The Sonatype OSS Index.

[CVE-2014-0035] Cryptographic Issues
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.

Affected versions: (, 2.6.12]; [2.7.0, 2.7.9]

Sourced from The Sonatype OSS Index.

[CVE-2014-0109] Resource Management Errors
Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large request with the Content-Type set to text/html to a SOAP endpoint, which triggers an error.

Affected versions: (, 2.6.13]; [2.7.0, 2.7.10]

Sourced from The Sonatype OSS Index.

[CVE-2013-0239] Improper Authentication
Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.

Affected versions: (, 2.5.8]; [2.6.0, 2.6.5]; [2.7.0, 2.7.2]

Sourced from The Sonatype OSS Index.

[CVE-2014-0110] Resource Management Errors
Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message.

Affected versions: (, 2.6.13]; [2.7.0, 2.7.10]

Sourced from The Sonatype OSS Index.

[CVE-2013-2160] Resource Management Errors
The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.

Affected versions: [2.5.0, 2.5.9]; [2.6.0, 2.6.6]; [2.7.0, 2.7.3]

Sourced from The Sonatype OSS Index.

[CVE-2014-3584] Resource Management Errors
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

Affected versions: (, 2.6.10]; [2.7.0, 2.7.7]; 3.0.0

Sourced from The Sonatype OSS Index.

[CVE-2014-0034] Improper Input Validation
The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token.

Affected versions: (, 2.6.11]; [2.7.0, 2.7.8]

Sourced from The Sonatype OSS Index.

[CVE-2018-8039] It is possible to configure Apache CXF to use the com.sun.net.ssl implementation...
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Affected versions: (, 3.1.16); (3.2.0, 3.2.5]

Sourced from The Sonatype OSS Index.

[CVE-2018-8039] It is possible to configure Apache CXF to use the com.sun.net.ssl implementation...
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Affected versions: (, 3.1.16); [3.2.0, 3.2.5)


Updates cxf-rt-rs-extension-providers from 2.7.2 to 3.3.0

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

@dependabot-support
build(deps): [security] bump version.cxf from 2.7.2 to 3.3.0
0a0387b 
Bumps `version.cxf` from 2.7.2 to 3.3.0.

Updates `cxf-rt-frontend-jaxrs` from 2.7.2 to 3.3.0

Updates `cxf-rt-rs-extension-providers` from 2.7.2 to 3.3.0

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Feb 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dependabot-support