Vulnerability Name:

CVE-2017-3156 (CCN-130249)

Assigned:2016-12-05
Published:2017-08-10
Updated:2021-06-16
Summary:The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2017-3156

Source: CCN
Type: Apache Web site
CVE-2017-3156: Apache CXF OAuth2 Hawk and JOSE MAC Validation code is vulnerable to the timing attacks

Source: CONFIRM
Type: Vendor Advisory
http://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc

Source: CCN
Type: IBM Security Bulletin 958165 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability

Source: CCN
Type: IBM Security Bulletin 2003397 (Tivoli Application Dependency Discovery Manager)
Open Source Apache CXF Vulnerablities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (Multiple CVEs)New CVEs added: CVE-2017-3156

Source: CCN
Type: IBM Security Bulletin 2008493 (Tivoli Network Manager IP Edition)
IBM Tivoli Network Manager IP Edition is affected by an Apache CXF vulnerability (CVE-2017-3156)

Source: BID
Type: Third Party Advisory, VDB Entry
96398

Source: CCN
Type: BID-96398
Apache CXF CVE-2017-3156 Information Disclosure Vulnerability

Source: REDHAT
Type: UNKNOWN
RHSA-2017:1832

Source: XF
Type: UNKNOWN
apache-cxf-cve20173156-weak-security(130249)

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html

Source: CCN
Type: IBM Security Bulletin 2011984 (InfoSphere Master Data Management Server)
Mulitiple security vulnerabilities in Apache CXF affects IBM InfoSphere Master Data Management (CVE-2016-6812 CVE-2016-8739 CVE-2017-5653 CVE-2017-5656 CVE-2017-3156)

Source: CCN
Type: IBM Security Bulletin 6207901 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:cxf:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:*:*:*:*:*:*:*:* (Version <= 3.0.12)

    • Configuration CCN 1:
  • cpe:/a:apache:cxf:3.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.0.12:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:tivoli_network_manager:4.1.1:*:ip:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_network_manager:4.2:*:ip:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.5.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apache cxf 3.1.0
    apache cxf 3.1.1
    apache cxf 3.1.8
    apache cxf 3.1.4
    apache cxf 3.1.5
    apache cxf 3.1.6
    apache cxf 3.1.7
    apache cxf 3.1.9
    apache cxf 3.1.2
    apache cxf 3.1.3
    apache cxf *
    apache cxf 3.1.8
    apache cxf 3.0.12
    ibm tivoli network manager 4.1.1
    ibm infosphere master data management server 10.1
    ibm tivoli application dependency discovery manager 7.3
    ibm security identity governance and intelligence 5.2
    ibm tivoli network manager 4.2
    ibm security identity governance and intelligence 5.2.1
    ibm infosphere master data management server 11.0
    ibm infosphere master data management server 11.3
    ibm infosphere master data management server 11.4
    ibm infosphere master data management server 11.5
    ibm infosphere master data management server 11.6
    ibm security identity governance and intelligence 5.2.2
    ibm security identity governance and intelligence 5.2.2.1
    ibm security identity governance and intelligence 5.2.3
    ibm security identity governance and intelligence 5.2.3.1
    ibm security identity governance and intelligence 5.2.3.2
    ibm security identity governance and intelligence 5.2.4
    ibm security identity governance and intelligence 5.2.4.1
    ibm security identity governance and intelligence 5.2.5.0