CVE-2014-3584

Impact:
Moderate
Public Date:
2014-10-25
CWE:
CWE-130->CWE-835
Bugzilla:
1157330: CVE-2014-3584 Apache CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens

The MITRE CVE dictionary describes this issue as:

The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

Find out more about CVE-2014-3584 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect Apache CXF as shipped with Red Hat JBoss Enterprise Application Platform 5 and 6; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 5; Red Hat JBoss Fuse Service Works 6; Red Hat JBoss BRMS 5 and 6; Red Hat JBoss BPM Suite 6; Red Hat JBoss Data Virtualization 6; Red Hat JBoss Operations Network 3 and Red Hat JBoss Portal Platform 6 as the REST Web Services endpoints are not available.

Fuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Fuse 6.1 RHSA-2014:0400 2014-04-14

Affected Packages State

Platform Package State
Red Hat OpenShift Enterprise 2 activemq Will not fix
Red Hat OpenShift Enterprise 2 cxf Will not fix
Red Hat OpenShift Enterprise 2 openshift-origin-cartridge-amq Will not fix
Red Hat OpenShift Enterprise 2 openshift-origin-cartridge-fuse Will not fix
Red Hat OpenShift Enterprise 1 cxf Will not fix
Red Hat JBoss Fuse Service Works 6 Web Services Not affected
Red Hat JBoss Enterprise SOA Platform 5 Web Services Not affected
Red Hat JBoss EAP 6 Web Services Not affected
Red Hat JBoss EAP 5 cxf Not affected
Red Hat JBoss Data Virtualization 6 Web Services Not affected
Red Hat JBoss BRMS 6 Web Services Not affected
Red Hat JBoss BRMS 5 Web Services Not affected
Red Hat JBoss BPMS 6 Web Services Not affected

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.