

CVE-2014-3623

WSO2 Products Impacted: Not Affected

WSO2 Products Severity: N/A

WSO2 Products CVSS Score: N/A (Original CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N - Score: 5.0 MEDIUM)

Customers Actions Required: No

---

REPORTED VULNERABILITY

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors. ¹

REPORTED PRODUCTS

• WSO2 API Manager: 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0

WSO2 JUSTIFICATION

This vulnerability is not applicable to WSO2 products for the following reasons:

WSO2 products utilize a forked repository wso2-wss4j from Apache WSS4J, which is maintained by WSO2. The vulnerable component org.apache.wss4j:wss4j-ws-security-dom package is not used in WSO2 API Manager and other WSO2 products. ²

Additionally, WSO2 API Manager versions have been updated to use secure versions of Apache CXF:

• Versions 3.2.0, 4.0.0 use Apache CXF 3.2.8
• Versions 4.1.0, and 4.2.0 use Apache CXF 3.5.5

Both CXF versions include the necessary security fixes that prevent exploitation of this vulnerability. ³

Given that WSO2 products do not use the vulnerable WSS4J components and have upgraded to a secure version of Apache CXF, this vulnerability cannot be exploited in WSO2 product deployments.

REFERENCES

---

1. https://nvd.nist.gov/vuln/detail/CVE-2014-3623 ↩

2. https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEWSS4J-31028 ↩

3. https://cxf.apache.org/security-advisories.data/CVE-2014-3623.txt.asc?version=1&modificationDate=1414169368000&api=v2 ↩