Thursday, September 8, 2016

Apache CXF Fediz 1.2.3 and 1.3.1 released

Apache CXF Fediz 1.2.3 and 1.3.1 have been released. The 1.3.1 release contains the following significant features/fixes:
  • An update to use Apache CXF 3.1.7 
  • Support for Facebook Login as a Trusted IdP.
  • A fix for SAML SSO redirection on ForceAuthn or token expiry.
  • A bug fix to support multiple realms in the IdP.
  • A fix to enforce that mandatory claims are present in the received token.
In addition, both 1.2.3 and 1.3.1 contain a fix for a new security advisory - CVE-2016-4464:
Apache CXF Fediz is a subproject of Apache CXF which implements the WS-Federation Passive Requestor Profile for SSO specification. It provides a number of container based plugins to enable SSO for Relying Party applications. It is possible to configure a list of audience URIs for the plugins, against which the AudienceRestriction values of the received SAML tokens are supposed to be matched. However, this matching does not actually take place.

This means that a token could be accepted by the application plugin (assuming that the signature is trusted) that is targeted for another service, something that could potentially be exploited by an attacker.

No comments:

Post a Comment