-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3072
           Apache CXF Fediz 1.4.3 and 1.3.3 released with a new
                     security advisory CVE-2017-12631
                              1 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache CXF
Publisher:         The Apache Software Foundation
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Request Forgery -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12631  

Original Bulletin: 
   http://cxf.apache.org/security-advisories.data/CVE-2017-12631.txt.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2017-12631: CSRF vulnerabilities in the Apache CXF Fediz Spring plugins.

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF Fediz prior to 1.4.3
and 1.3.3.

Description:

Apache CXF Fediz ships with a number of container-specific plugins to enable
WS-Federation for applications. A CSRF (Cross Style Request Forgery) style
vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins.
The vulnerability can result in a security context that is set up using a
malicious client's roles for the given enduser.

Please note that this is a separate security advisory to a previous advisory
(CVE-2017-7661) that covered another type of CSRF attack on the Spring plugins.

This has been fixed in revision:

https://github.com/apache/cxf-fediz/commit/e7127129dbc0f4ee83985052085e185e750cebbf

Migration:

Apache CXF Fediz users should upgrade to 1.4.3 or 1.3.3 as soon as possible if
they are using either the Spring 2, Spring 3 or Spring 4 plugins. 

- -----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJaH9tqAAoJEGe/gLEK1TmDyYIH/jeSMNdErdBQwqfRpW3lDPGj
159hXiQqHN8KtweYztnCw5W1RnwZaKsipR97Ux+hPM4NVNYKBr0PsHj4gkTW/E4J
e+5ZDsr6pKDw9hQWSKtfH5yqC34jqghW509yeAWQ0toQSO+73cIn1CTR1wVXX54k
mGhj9oSMHdDsSg3M3mFu2EE01KOE2ZlwcIjVPVBdIgFB4rUl+WoBHbu1BYTYxzgd
dA8RXqB3Rh9+KHUcN+JHrlnT8RckxNUz1IroSgiN0WAiCuZDcLGTJXqSci3iUWzn
hIcUyF+btbUvJIcyRXMhWaZU3+8TS0iuvnoaZdLQfhJcd5YnQffv+USg86Eg4Ts=
=V3pI
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWiC/fYx+lLeg9Ub1AQjRAxAAoY0G53pLLCi+iD4mM5/PjLXgMlz7MRjK
xxRyKphvTMPU6UT0RCdfDnG5UQV5XG7g29dU0eThF3FREVGZFHG47CtlPptNOxlb
NORNZMz2D9tB8pq4MbqJcw3TfjaH3QyMhTLcZGzsTcnyj/qwM/Yk8EPW0UrL0pzw
6CDYELwVa4i9UFMse/4GTGmCMVB1KvukyAQ9/0v4O0q8Dy5zWJJPXlol/dOyCoh3
kYVAEsXU/vibO48g+zfZZsE4k9TsAW0gTI+omVd5+vJmkf8JPBY6x+nUvJUJlxpV
n7VoY0bbrPNmcLpXnEghKxGJrYYFtGmOSL905KswtyOu8U+LsHBqZPYyryEMqFWn
ObuRzEiTPeJjf8hXxSDIXm/QIweBKvJJRg/MZHmLvPugVwMHCHJioTOzihZE3nnr
iCLFsKdkPSAQbxI2u7ZDioxgp+eA0HqhhIWzPql/AIZb6gY0a5GASlaXXVyI+dff
wm9AbA5DsQ9ICCf1p9UDpFNlA+Li+kN3NtNXp+LrwdL81koHlS+JY4YJ8tPAEGKF
nJkVtSg9NJ0FNzACapv9NSk9++h7CEXR4CoStK9LsGf4PVhrES0w/zKnj+OaRF/i
q2baELVFimf+I22LIrPCZ2M+8Y4oupH6zxjo99jMFaOmDqjBfuHHXUaKZvnFZ+iD
XM6Gp30nJlU=
=CD5W
-----END PGP SIGNATURE-----