[ANNOUNCE] - Apache Kerby™ 1.0.0

[Colm O hEigeartaigh]

The Apache Directory team is pleased to announce the release of Apache
Kerby™ 1.0.0.

Apache Kerby™ is a Java Kerberos binding. It aims to provide a rich,
intuitive and interoperable implementation, library, KDC and various
facilities that integrates PKI, OTP and token(OAuth2) as desired in modern
environments such as cloud, Hadoop and mobile.

This release has 70 resolved issues since the 1.0.0-RC2(March 13, 2016):
New features include:
1. Kerby authorization support.
2. XDR protocol support for remote kadmin.
3. Some important fixes for JWT token support, keytab utilities and
SimpleKdcServer.

You can download the latest sources package at :
http://directory.apache.org/kerby/downloads.html

You can read more about Apache Kerby™ at:
http://directory.apache.org/kerby

Anyone willing to contribute to Kerby is very welcome!
Git repo in Apache: https://git-wip-us.apache.org/
repos/asf/directory-kerby.git
Github site: https://github.com/apache/directory-kerby
Umbrella JIRA: https://issues.apache.org/jira/browse/DIRKRB-102

Thanks to everyone who contributed to the release!

Best Regards,
The Apache Directory Team


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Apache CXF Fediz 1.4.1 released

[Colm O hEigeartaigh]

Apache CXF Fediz 1.4.1 is released.

Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web
applications and delegates security enforcement to the underlying
application server. With Fediz, authentication is externalized from your
web application to an identity provider installed as a dedicated server
component. The supported standard is WS-Federation Passive Requestor
Profile. Fediz supports Claims Based Access Control beyond Role Based
Access Control (RBAC).

For more information and to download the new release please visit:

http://cxf.apache.org/fediz.html


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Apache Santuario XML Security for Java 2.0.9 and 2.1.0 released

[Colm O hEigeartaigh]

Apache Santuario XML Security for Java 2.0.9 and 2.1.0 have been released.

The Apache Santuario project is aimed at providing implementation of the
primary security standards for XML, namely XML-Signature Syntax and
Processing and XML Encryption Syntax and Processing. The Apache XML
Security for Java library includes the standard JSR-105 (Java XML Digital
Signature) API, a mature DOM-based implementation of both XML Signature and
XML Encryption, as well as a more recent StAX-based (streaming) XML
Signature and XML Encryption implementation.

Please visit the webpage for more information and to download the release:

http://santuario.apache.org/


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

New security advisory CVE-2017-12624 released for Apache CXF

[Colm O hEigeartaigh]

A new security advisory has been released for Apache CXF, that is fixed in
the recent 3.2.1 and 3.1.14 releases:

CVE-2017-12624: Apache CXF web services that process attachments are
vulnerable to Denial of Service (DoS) attacks

The full text of the advisory is available here:

http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Apache Kerby 1.1.0 released

[Colm O hEigeartaigh]

The Apache Directory team is pleased to announce the release of Apache
Kerby 1.1.0.

Apache Kerby™ is a Java Kerberos binding. It provides a rich, intuitive and
interoperable implementation, library, KDC and various facilities that
integrates PKI, OTP and token (OAuth2) as desired in modern environments
such as cloud, Hadoop and mobile.

This is a new major release of Apache Kerby, which implements cross-realm
support, and also includes a GSSAPI module.

http://directory.apache.org/kerby/


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

[ANNOUNCE] Apache CXF 3.0.16 released

[Colm O hEigeartaigh]

Apache CXF™ is an open source services framework. CXF helps you build and
develop services using frontend programming APIs, like JAX-WS and JAX-RS.
These services can speak a variety of protocols such as SOAP, XML/HTTP,
RESTful HTTP, or CORBA and work over a variety of transports such as HTTP,
JMS or JBI.

The Apache CXF team is pleased to announce the release of Apache CXF
3.0.16. This is a minor patch release which includes a fix for the security
advisory CVE-2017-12624.

This will be the last release of Apache CXF 3.0.x for the foreseeable
future - users are encouraged to migrate to CXF 3.1.x or 3.2.x.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Apache CXF Fediz 1.4.3 and 1.3.3 released with a new security advisory CVE-2017-12631

[Colm O hEigeartaigh]

Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web
applications and delegates security enforcement to the underlying
application server.

Apache CXF Fediz 1.4.3 and 1.3.3 are released along with a new security
advisory that is fixed in these releases:

CVE-2017-12631: CSRF vulnerabilities in the Apache CXF Fediz Spring plugins.

http://cxf.apache.org/security-advisories.data/CVE-2017-12631.txt.asc

Users who are using the Spring security plugins of Apache CXF Fediz should
upgrade immediately to the latest releases.

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

[ANNOUNCE] Apache Sentry 1.7.1 released

[Colm O hEigeartaigh]

Apache Sentry is a system to enforce fine grained role based authorization
to data and metadata stored on a Hadoop cluster.

The Apache Sentry team is happy to announce the release of version 1.7.1.
This release contains a fix for the following security advisory:

CVE-2015-3254: Apache Sentry vulnerabilities due to use of vulnerable
version of Apache Thrift

The full advisory text is available here:

https://cwiki.apache.org/confluence/download/attachments/65864610/CVE-2015-3254.txt.asc

The release bits are available at:

http://sentry.apache.org/general/downloads.html

Regards,
Sentry team

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Apache CXF 3.1.15 released

[Colm O hEigeartaigh]

Apache CXF™ is an open source services framework. CXF helps you build and
develop services using frontend programming APIs, like JAX-WS and JAX-RS.
These services can speak a variety of protocols such as SOAP, XML/HTTP,
RESTful HTTP, or CORBA and work over a variety of transports such as HTTP,
JMS or JBI.

The Apache CXF team is proud to announce the release of Apache CXF 3.1.15.
This is a patch release where 57 JIRA items were resolved.

To download Apache CXF 3.1.15 please go to:

http://cxf.apache.org/download.html

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Apache CXF 3.2.5 and 3.1.16 are released

[Colm O hEigeartaigh]

Apache CXF™ (http://cxf.apache.org/) is an open source services framework.
CXF helps you build and develop services using frontend programming APIs,
like JAX-WS and JAX-RS. These services can speak a variety of protocols
such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a variety of
transports such as HTTP, JMS or JBI.

The Apache CXF team is proud to announce the release of versions 3.2.5 and
3.1.16. Over 50 JIRA issues were fixed for 3.2.5 and 25 JIRA items were
resolved for 3.1.16.

The releases can be downloaded here: http://cxf.apache.org/download.html

In addition, both of these releases contain a fix for a new security
advisory:

CVE-2018-8039: Apache CXF TLS hostname verification does not work correctly
with com.sun.net.ssl.

The advisory text is available at this location:
http://cxf.apache.org/security-advisories.data/CVE-2018-
8039.txt.asc?version=1&modificationDate=1530184663000&api=v2

Please also refer to the CXF security advisories page:
http://cxf.apache.org/security-advisories.html



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Apache CXF Fediz 1.4.4 is released

[Colm O hEigeartaigh]

Apache CXF Fediz (http://cxf.apache.org/fediz) is a subproject of Apache
CXF. Fediz helps you to secure your web applications and delegates security
enforcement to the underlying application server. With Fediz,
authentication is externalized from your web application to an identity
provider installed as a dedicated server component.

The Apache CXF Fediz team is pleased to announce the release of version
1.4.4, which is available for download here:
http://cxf.apache.org/fediz-downloads.html

This release contains a fix for a new security advisory:

CVE-2018-8038: Apache CXF Fediz is vulnerable to DTD based XML attacks

The advisory text is available at this location:
http://cxf.apache.org/security-advisories.data/CVE-2018-8038.txt.asc

Please also refer to the CXF security advisories page:
http://cxf.apache.org/security-advisories.html


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Apache Kerby 2.0.0 is released

[Colm O hEigeartaigh]

The Apache Directory team is pleased to announce the release of Apache
Kerby™ 2.0.0.

Apache Kerby™ is a Java Kerberos binding. It aims to provide a rich,
intuitive and interoperable implementation, library, KDC and various
facilities that integrates PKI, OTP and token(OAuth2) as desired in modern
environments such as cloud, Hadoop and mobile.

This release has 43 resolved issues since the 1.1.1 (May 2018) release. The
main new function is HAS (Hadoop Authentication Service). HAS is a solution
to support  authentication in the open source big data ecosystem in cloud
computing platforms with the following features:

1. It provides a new authentication mechanism to customize and integrate
with existing user authentication and authorization systems.
2. It provides REST APIs and facility tools to simplify Kerberos support
3. It provides a MySQL backend for High Availability.
4. The new authentication mechanism now supports most of the components of
the open source big data ecosystem with little or no changes to the
components themselves, including HDFS, HBase, Zookeeper, Hive, Spark...

You can download the latest sources package at :
http://directory.apache.org/kerby/downloads.html

You can read more about Apache Kerby™ at:
http://directory.apache.org/kerby

Anyone willing to contribute to Kerby is very welcome!
Github site: https://github.com/apache/directory-kerby
Umbrella JIRA: https://issues.apache.org/jira/browse/DIRKRB-102

Thanks to everyone who contributed to the release!

Best Regards,
The Apache Directory Team

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

[CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source

[Colm O hEigeartaigh]

The following security advisory is announced for the Apache Santuario - XML
Security for Java project, which is fixed in the recent 2.1.4 release.

[CVEID]:CVE-2019-12400
[PRODUCT]:Apache Santuario - XML Security for Java
[VERSION]:All 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4.
[PROBLEMTYPE]:Process Control
[REFERENCES]:
http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2
[DESCRIPTION]:In version 2.0.3 of Apache Santuario XML Security for Java, a
caching mechanism
  was introduced to speed up creating new XML documents using a
static pool of
  DocumentBuilders.

  However, if some untrusted code can register a malicious
implementation with
  the thread context class loader first, then this
implementation might be
  cached and re-used by Apache Santuario - XML Security for
Java, leading to
  potential security flaws when validating signed documents,
etc.

For more information, please see the security advisories page of Apache
Santuario: http://santuario.apache.org/secadv.html

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

[CVE-2019-12419] Apache CXF OpenId Connect token service does not properly validate the clientId

[Colm O hEigeartaigh]

[CVEID]:CVE-2019-12419
[PRODUCT]:Apache CXF
[VERSION]:Apache CXF versions before 3.3.4 and 3.2.11
[PROBLEMTYPE]:Apache CXF OpenId Connect token service does not properly
validate the clientId
[REFERENCES]:
http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc
[DESCRIPTION]:Apache CXF provides all of the components that are required
to build a fully
  fledged OpenId Connect service. There is a vulnerability in
the access token
  services, where it does not validate that the authenticated
principal is equal
  to that of the supplied clientId parameter in the request.

  If a malicious client was able to somehow steal an
authorization code issued
  to another client, then they could exploit this vulnerability
to obtain an
  access token for the other client.

[CVE-2019-12406] Apache CXF does not restrict the number of message attachments

[Colm O hEigeartaigh]

[CVEID]:CVE-2019-12406
[PRODUCT]:Apache CXF
[VERSION]:Apache CXF versions before 3.3.4 and 3.2.11
[PROBLEMTYPE]:Denial of Service
[REFERENCES]:
http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc
[DESCRIPTION]:Apache CXF does not restrict the number of message
attachments present in a
  given message. This leaves open the possibility of a denial
of service type
  attack, where a malicious user crafts a message containing a
very large number
  of message attachments.

  From the 3.3.4 and 3.2.11 releases, a default limit of 50
message attachments
  is enforced. This is configurable via the message property
  "attachment-max-count".

[CVE-2019-17573] Apache CXF Reflected XSS in the services listing page

[Colm O hEigeartaigh]

CVE-2019-17573: Apache CXF Reflected XSS in the services listing page

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.3.5 and
3.2.12.

Description:

By default, Apache CXF creates a /services page containing a listing of the
available endpoint names and addresses. This webpage is vulnerable to a
reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor
to
inject javascript into the web page.

Please note that the attack exploits a feature which is not typically not
present in modern browsers, who remove dot segments before sending the
request. However, Mobile applications may be vulnerable.

Mitigation:

Users of Apache CXF should update to either 3.3.5 or 3.2.12. Alternatively,
it is possible to disable the service listing altogether by setting the
"hide-service-list-page" servlet parameter to "true".

Credit:

We would like to thank the GE cyber security team for reporting this issue.

[CVE-2019-12423] - Apache CXF OpenId Connect JWK Keys service returns private/secret credentials if configured with a jwk keystore

[Colm O hEigeartaigh]

CVE-2019-12423: Apache CXF OpenId Connect JWK Keys service returns
private/secret credentials if configured with a jwk keystore

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.3.5 and
3.2.12.

Description:

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a
client
to obtain the public keys in JWK format, which can then be used to verify
the
signature of tokens issued by the service.

Typically, the service obtains the public key from a local keystore
(JKS/PKCS12) by specifing the path of the keystore and the alias of the
keystore entry. This case is not vulnerable.

However it is also possible to obtain the keys from a JWK keystore file, by
setting the configuration parameter "rs.security.keystore.type" to "jwk".
For
this case all keys are returned in this file "as is", including all private
key and secret key credentials.

This is an obvious security risk if the user has configured the signature
keystore file with private or secret key credentials.

- From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias
corresponding
to the id of the key in the JWK file, and only this key is returned. In
addition, any private key information is omitted by default. "oct" keys,
which
contain secret keys, are not returned at all.

Mitigation:

Users of Apache CXF that user the OpenId Connect JWK keys service as part of
their OpenId Connect service should update to either the 3.3.5 or 3.2.12
releases.

[CVE-2020-1954] Apache CXF JMX Integration is vulnerable to a MITM attack

[Colm O hEigeartaigh]

CVE-2020-1954: Apache CXF JMX Integration is vulnerable to a MITM attack

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.3.6 and
3.2.13.

Description:

Apache CXF has the ability to integrate with JMX by registering an
InstrumentationManager extension with the CXF bus. If the
"createMBServerConnectorFactory" property of the default
InstrumentationManagerImpl is not disabled, then it is vulnerable to a
man-in-the-middle (MITM) style attack.

An attacker on the same host can connect to the registry and rebind the
entry
to another server, thus acting as a proxy to the original. They are then
able
to gain access to all of the information that is sent and received over JMX.

Mitigation:

Users of Apache CXF that use the InstrumentationManagerImpl should update to
either 3.3.6 or 3.2.13. Alternatively, set the
createMBServerConnectorFactory
property to false and use the default JVM JMX remote capabilities instead.
From
CXF 3.4.0, the createMBServerConnectorFactory property will be removed
altogether.

Credit:

Jonathan Gallimore, Tomitribe and Colm O hEigeartaigh, Talend.

Reference:
http://cxf.apache.org/security-advisories.data/CVE-2020-1954.txt.asc?version=1&modificationDate=1585730169000&api=v2

Apache CXF Fediz 1.5.0 is released

[Colm O hEigeartaigh]

Apache CXF Fediz 1.5.0 is released. Apache CXF Fediz is a subproject of
CXF, which helps you to secure your web applications and delegates security
enforcement to the underlying application server.

This is a major new release with the following issues fixed:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12313420&version=12336848

The main changes are:

   - The IdP is updated to use Spring Security 4.
   - Support is added for Jetty 9.4 + Tomcat 9 plugins
   - A fix for issues that prevented the Tomcat plugin working from
   versions 8.5.50 and 9.0.30
   - The Tomcat 7, Jetty 8, Spring Security 2 + 3 plugins are removed.

See the download  page for more
information.

Colm.

CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

[Colm O hEigeartaigh]

Description:

By default, Apache CXF creates a /services page containing a listing of the
available endpoint names and addresses. This webpage is vulnerable to a
reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which
allows a malicious actor to inject javascript into the web page.

This vulnerability affects all versions of Apache CXF prior to 3.4.1 and
3.3.8.

Please note that this is a separate issue to CVE-2019-17573.

Workaround:

Users of Apache CXF should update to either 3.3.8 or 3.4.1. Alternatively,
it is possible to disable the service listing altogether by setting the
"hide-service-list-page" servlet parameter to "true".

Credit:

Thanks to Ryan Lambeth for reporting this issue.

References: http://cxf.apache.org/security-advisories.html

[Apache CXF] CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks

[Colm O hEigeartaigh]

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via
a JWT token as opposed to query parameters (see: The OAuth 2.0
Authorization Framework: JWT Secured Authorization Request (JAR)).
Instead of sending a JWT token as a "request" parameter, the spec also
supports specifying a URI from which to retrieve a JWT token from via
the "request_uri" parameter.

CXF was not validating the "request_uri" parameter (apart from
ensuring it uses "https) and was making a REST request to the
parameter in the request to retrieve a token.

This means that CXF was vulnerable to DDos attacks on the
authorization server, as specified in section 10.4.1 of the spec.

Users of Apache CXF 3.4.x should update to 3.4.3;
Users of Apache CXF 3.3.x should update to 3.3.10;
Users of any other versions of CXF should upgrade to one of these
supported releases.

Reference: http://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.asc

CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter

[Colm O hEigeartaigh]

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows
an attacker to submit malformed JSON to a web service, which results
in the thread getting stuck in an infinite loop, consuming CPU
indefinitely.

This issue affects Apache CXF versions prior to 3.4.4; Apache CXF
versions prior to 3.3.11.

For more information please refer to the CXF security advisories page:
http://cxf.apache.org/security-advisories.html

[CVE-2021-40690] - Apache Santuario - XML Security for Java

[Colm O hEigeartaigh]

The Apache Santuario™ project is aimed at providing implementation of
the primary security standards for XML:

- XML-Signature Syntax and Processing
- XML Encryption Syntax and Processing.

A new CVE is released for Apache Santuario - XML Security for Java,
which is fixed in the latest 2.2.3 and 2.1.7 releases:

CVE-2021-40690 - Bypass of the secureValidation property
(https://santuario.apache.org/secadv.data/CVE-2021-40690.txt.asc)

Please see the main site for more information: https://santuario.apache.org/

Colm.

CVE-2022-46363: Apache CXF directory listing / code exfiltration

[Colm O hEigeartaigh]

Severity: moderate

Description:

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows
an attacker to perform a remote directory listing or code
exfiltration. The vulnerability only applies when the CXFServlet is
configured with both the static-resources-list and
redirect-query-check attributes. These attributes are not supposed to
be used together, and so the vulnerability can only arise if the CXF
service is misconfigured.

Credit:

thanat0s from Beijin Qihoo 360 adlab (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-46363

CVE-2022-46364: Apache CXF SSRF Vulnerability

[Colm O hEigeartaigh]

CVE-2022-46364: Apache CXF SSRF Vulnerability

Severity: important

Description:

A SSRF vulnerability in parsing the href attribute of XOP:Include in
MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows
an attacker to perform SSRF style attacks on webservices that take at
least one parameter of any type.

Credit:

thanat0s from Beijin Qihoo 360 adlab (finder) (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-46364

CVE-2023-25613: LDAP Injection Vulnerability in Apache Kerby

[Colm O hEigeartaigh]

Description:

An LDAP Injection vulnerability exists in the LdapIdentityBackend of
Apache Kerby before 2.0.3.

Credit:

4ra1n of Chaitin Tech (finder)

References:

https://directory.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-25613

CVE-2023-44483: Apache Santuario: Private Key disclosure in debug-log output

[Colm O hEigeartaigh]

Severity: moderate

Affected versions:

- Apache Santuario  before < 2.2.6
- Apache Santuario  before < 2.3.4
- Apache Santuario  before < 3.0.3

Description:

All versions of Apache Santuario - XML Security for Java prior to
2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to
an issue where a private key may be disclosed in log files when
generating an XML Signature and logging with debug level is enabled.
Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3,
which fixes this issue.

Credit:

Apache Santuario would like to thank Max Fichtelmann for reporting
this issue. (finder)

References:

https://santuario.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-44483

CVE-2024-28752: Apache CXF SSRF Vulnerability using the Aegis databinding

[Colm O hEigeartaigh]

Severity: important

Affected versions:

- Apache CXF before 4.0.4, 3.6.3, 3.5.8

Description:

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF 
before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks 
on webservices that take at least one parameter of any type. Users of other 
data bindings (including the default databinding) are not impacted.

Credit:

Tobias S. Fink (finder)

References:

https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt
https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-28752

CVE-2024-29736: Apache CXF: SSRF vulnerability via WADL stylesheet parameter

[Colm O hEigeartaigh]

CVE-2024-29736: SSRF vulnerability via WADL stylesheet parameter

Severity: important

Affected versions:

- Apache CXF before 3.5.9, 3.6.4, 4.0.5

Description:

A SSRF vulnerability in WADL service description in versions of Apache
CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF
style attacks on REST webservices. The attack only applies if a custom
stylesheet parameter is configured.

Credit:

Tobias S. Fink (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-29736

CVE-2024-41172: Unrestricted memory consumption in CXF HTTP clients

[Colm O hEigeartaigh]

CVE-2024-41172: Unrestricted memory consumption in CXF HTTP clients

Severity: low

Affected versions:

- Apache CXF 3.6.0, 4.0.0 before 3.6.4, 4.0.5

Description:

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower
versions are not impacted), a CXF HTTP client conduit may prevent
HTTPClient instances from being garbage collected and it is possible
that memory consumption will continue to increase, eventually causing
the application to run  out of memory

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-41172

CVE-2024-32007: Apache CXF Denial of Service vulnerability in JOSE

[Colm O hEigeartaigh]

CVE-2024-32007: Apache CXF Denial of Service vulnerability in JOSE

Severity: moderate

Affected versions:

- Apache CXF before 4.0.5, 3.6.4, 3.5.9

Description:

An improper input validation of the p2c parameter in the Apache CXF
JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform
a denial of service attack by specifying a large value for this
parameter in a token.

Credit:

Jingcheng Yang and Jianjun Chen from Sichuan University and
Zhongguancun Lab. (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-32007

Apache Kerby 2.1.0 released

[Colm O hEigeartaigh]

Apache Kerby™ is a Java Kerberos binding. It provides a rich,
intuitive and interoperable implementation, library, KDC and various
facilities that integrates PKI, OTP and token (OAuth2) as desired in
modern environments such as cloud, Hadoop and mobile.

Apache Kerby 2.1.0 is released and is available for download:
https://directory.apache.org/kerby/download/download-sources.html

This release contains bug fixes and dependency upgrades. For a list of
the issues fixed please see
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310910&version=12346557

Colm.