Operating System:

[WIN][UNIX/Linux]

Published:

06 November 2019

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2019.4157 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4157
        Multiple vulnerabilities have been identified in Apache CXF
                              6 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache CXF
Publisher:         The Apache Software Foundation
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service   -- Existing Account
                   Unauthorised Access -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12419 CVE-2019-12406 

Original Bulletin: 
   http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc
   http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc

Comment: This bulletin contains two (2) The Apache Software Foundation 
         security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2019-12406: Apache CXF does not restrict the number of message attachments

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.3.4 and
3.2.11.

Description:

Apache CXF does not restrict the number of message attachments present in a 
given message. This leaves open the possibility of a denial of service type
attack, where a malicious user crafts a message containing a very large number
of message attachments.

- - From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments
is enforced. This is configurable via the message property
"attachment-max-count".

Mitigation:

Users of Apache CXF should update to either the 3.3.4 or 3.2.11 releases.

- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAl3Ba6UACgkQZ7+AsQrV
OYNrjwgArmMQngqtWNTL0oWjuB3GU2yd/sZQnIulwEt2is4+3wtE71gDmDc/4oBt
GyiQedAoj8Bpop+/3mqfJ4khXUkQR9KnF5px7lfAW3cRmleCekOwrZ+GLM+i6i7J
fgmGdRoV0eo4uVL+evUejA6cGBcs03xmtRUmWrnWccZakYmQ8pXJeqXOExdcyQbO
Ec5eBNbRpcyWlzPUno0xebuIU/jwWfJ5r+aX7Xz8CILuZ5+Eh9vK8Qo7Boy9GKzR
Vqp90wih5LGTGuGrhcN0l8w75DZr1fZG51a4LwQT2MVx04xfkf9HI6M1M1hmhpVw
hZSmpDgX5c5Iex5M5mYrbz8pz7x//w==
=JpOu
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2019-12419: Apache CXF OpenId Connect token service does not properly validate the clientId

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.3.4 and
3.2.11.

Description:

Apache CXF provides all of the components that are required to build a fully
fledged OpenId Connect service. There is a vulnerability in the access token
services, where it does not validate that the authenticated principal is equal
to that of the supplied clientId parameter in the request.

If a malicious client was able to somehow steal an authorization code issued
to another client, then they could exploit this vulnerability to obtain an
access token for the other client.

Mitigation:

Users of Apache CXF that rely on the OpenId Connect service should update to
either the 3.3.4 or 3.2.11 releases.
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAl3Be5UACgkQZ7+AsQrV
OYNv2Qf+MBH5C4PCZNtTmZf+zH7qqnKJX4z4a7weR/tIXEOlqZtCu8AWn1DZ7pWK
XY2aWZ7tYQAmzyvEXzPG2A7eahM2s5lAlB+MhKqmQT/L+mRhzo1liwFaNQjT+/cU
xRTARrp3sTbfGqtMJDklwcugh01MkXMxhsYrESyJ1BI06hwdyQyj5Hd+ZoWlEjAH
PVZNg19bL8kt4pRfdzlo83Qh2E83xVe9bTSJmf+DM7SZGmM3y38bk6bW2o47nOik
jFY7mRvenB7f08ESSNYV1cTrnTUWQQ0PlAUBAwgXRmQx/4qUHbPUV8Q1r8vmvlRl
xpBoVT82AXWNefwzXO/RE2j/mB4rWA==
=uV2d
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXcJPrWaOgq3Tt24GAQidiQ/+IuobQS2sBVzhvS0UPdeIhhqsGMQSsn+x
cM+vfJkH2lmUipKWulaPkz+xu0hDmjjtUsEko35n/SVS4NqsTBpQPhranGkNNzWy
UwMxnEHDqHq+6vFTPncQbDYXxzX0EnAiwqh/RCPUCqGCFZwrwHFoosvvXTGf+tqH
bOArz5a/3rmeYL680b4PCXf4rgf1tE2FczKcAOfyT/fOZK+octt5BvC86XkepnrD
7W2c4lWN1cljMk8PZ+wHg94XZ3Z33NeubIA4j440IT/wGdGRsEPlxY3k6NNCKaAz
AsS3rBQ+w86NoenWEeISKfUAyvnzSiTM3ZUTC1DY/I3M9G30AQr90zCl7vRT3Fxf
clZHmAzBMQrV3H5G5JMtkhpsPNFZ3lIk1lw+0n1JEfGNg+UGjQgG1HC0EsLUZRR/
1W/M8Rgg8lEFmXMeAybUCnnlKbunoNWh/4iX8kqcilNSSQwPlWvDl1L08/sRk7jd
spM/9ZlrWlkStcw5uB/gOWNBIh5c0YRbNXNyjAvkVLQFMUjbHWYC3l/2YiTvO1Cj
+AwaeMFCTjOWPYVP457U4pe6EEWsF1Bw3k0afB8sf7ODcLZexH+tfsQzbiCNr9RW
fTU8/PAaBF4znKHdT7mejYiATeRImCMt4WRJ70Sr1fEeXHOBI3OXKiQd772OuUXe
ZS9EQQglvk8=
=SzUH
-----END PGP SIGNATURE-----