Vulnerability Name:

CVE-2017-5653 (CCN-125087)

Assigned:2017-04-18
Published:2017-04-18
Updated:2021-06-16
Summary:JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-295
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2017-5653

Source: CCN
Type: Apache Web site
Apache CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted

Source: CONFIRM
Type: Patch, Vendor Advisory
http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074710&api=v2

Source: CCN
Type: IBM Security Bulletin 958165 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability

Source: CCN
Type: IBM Security Bulletin 2003397 (Tivoli Application Dependency Discovery Manager)
Open Source Apache CXF Vulnerablities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2016-6812, CVE-2016-8739)New CVEs added: CVE-2017-5653, CVE-2017-5656

Source: BID
Type: Third Party Advisory, VDB Entry
97968

Source: CCN
Type: BID-97968
Apache CXF CVE-2017-5653 Spoofing Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1038279

Source: REDHAT
Type: Issue Tracking
RHSA-2017:1832

Source: XF
Type: UNKNOWN
apache-cxf-cve20175653-spoofing(125087)

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html

Source: MLIST
Type: UNKNOWN
[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html

Source: CCN
Type: IBM Security Bulletin 2011984 (InfoSphere Master Data Management Server)
Mulitiple security vulnerabilities in Apache CXF affects IBM InfoSphere Master Data Management (CVE-2016-6812 CVE-2016-8739 CVE-2017-5653 CVE-2017-5656 CVE-2017-3156)

Source: CCN
Type: IBM Security Bulletin 6207901 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:cxf:*:*:*:*:*:*:*:* (Version >= 3.0.0 and <= 3.0.13)
  • OR cpe:/a:apache:cxf:*:*:*:*:*:*:*:* (Version >= 3.1.0 and <= 3.1.11)

    • Configuration CCN 1:
  • cpe:/a:apache:cxf:3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.1.8:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:infosphere_master_data_management_server:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management_server:11.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apache cxf *
    apache cxf *
    apache cxf 3.0.6
    apache cxf 3.1.2
    apache cxf 3.0.11
    apache cxf 3.1.8
    ibm infosphere master data management server 10.1
    ibm tivoli application dependency discovery manager 7.3
    ibm security identity governance and intelligence 5.2
    ibm security identity governance and intelligence 5.2.1
    ibm infosphere master data management server 11.0
    ibm infosphere master data management server 11.3
    ibm infosphere master data management server 11.4
    ibm infosphere master data management server 11.5
    ibm infosphere master data management server 11.6
    ibm security identity governance and intelligence 5.2.2
    ibm security identity governance and intelligence 5.2.2.1
    ibm security identity governance and intelligence 5.2.3
    ibm security identity governance and intelligence 5.2.3.1
    ibm security identity governance and intelligence 5.2.3.2
    ibm security identity governance and intelligence 5.2.4
    ibm security identity governance and intelligence 5.2.4.1
    ibm security identity governance and intelligence 5.2.5.0
    ibm security identity governance and intelligence 5.2.6