PT-2017-15692 · Apache · Apache Cxf

Richard Kettelerij

Published

2017-08-10

Updated

2022-05-13

CVE-2017-3156

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 3.0.13 Apache CXF versions 3.1.x prior to 3.1.10

Description The issue concerns the OAuth2 Hawk and JOSE MAC Validation code, which does not utilize a constant time MAC signature comparison algorithm. This could potentially be exploited by sophisticated timing attacks.

Recommendations For Apache CXF versions prior to 3.0.13, update to version 3.0.13 or later. For Apache CXF versions 3.1.x prior to 3.1.10, update to version 3.1.10 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-385

Related Identifiers

CVE-2017-3156

GHSA-QC2P-Q7X9-V64P

Affected Products

Apache Cxf

PT-2017-15692 · Apache · Apache Cxf

CVE-2017-3156

Weakness Enumeration

Related Identifiers

Affected Products

References · 21