It was found that Apache WSS4J (Web Services Security for Java), as used by Apache CXF with the TransportBinding, did not, by default, properly enforce all security requirements associated with SAML SubjectConfirmation methods. A remote attacker could use this flaw to perform various types of spoofing attacks on web service endpoints secured by WSS4J that rely on SAML for authentication.
Find out more about CVE-2014-3623 from the MITRE CVE dictionary dictionary and NIST NVD.
Fuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/
Red Hat JBoss SOA Platform 5 and Red Hat JBoss BRMS 5 are now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/
Base Score | 4.3 |
---|---|
Base Metrics | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Access Vector | Network |
Access Complexity | Medium |
Authentication | None |
Confidentiality Impact | Partial |
Integrity Impact | None |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (wss4j) | RHSA-2014:2019 | 2014-12-18 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (wss4j) | RHSA-2014:2019 | 2014-12-18 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (wss4j) | RHSA-2014:2019 | 2014-12-18 |
Red Hat JBoss Enterprise Application Platform 6.3 | RHSA-2014:2020 | 2014-12-18 |
Platform | Package | State |
---|---|---|
Red Hat OpenShift Enterprise 2 | activemq | Will not fix |
Red Hat OpenShift Enterprise 2 | openshift-origin-cartridge-fuse | Will not fix |
Red Hat OpenShift Enterprise 2 | openshift-origin-cartridge-amq | Will not fix |
Red Hat JBoss Fuse Service Works 6 | cxf | Will not fix |
Red Hat JBoss Enterprise SOA Platform 5 | cxf | Will not fix |
Red Hat JBoss EAP 5 | wss4j | Will not fix |
Red Hat JBoss Data Virtualization 6 | cxf | Will not fix |
Red Hat JBoss BRMS 6 | cxf | Will not fix |
Red Hat JBoss BRMS 5 | cxf | Will not fix |
Red Hat JBoss BPMS 6 | cxf | Will not fix |