Moderate severityNVD Advisory· Published Jul 7, 2014· Updated May 6, 2026
CVE-2014-0034
CVE-2014-0034
Description
The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-rt-ws-securityMaven | < 2.6.12 | 2.6.12 |
org.apache.cxf:cxf-rt-ws-securityMaven | >= 2.7.0, < 2.7.9 | 2.7.9 |
Affected products
23cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*+ 20 more
- cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*range: <=2.6.11
- cpe:2.3:a:apache:cxf:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.8:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.2.0:*:*:*:*:*:*:*
Patches
1b4b9a010bb23Validation fix in the STS
2 files changed · +72 −25
services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java+23 −24 modified@@ -153,6 +153,29 @@ public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParame SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipalImpl(assertion); response.setPrincipal(samlPrincipal); + if (!assertion.isSigned()) { + LOG.log(Level.WARNING, "The received assertion is not signed, and therefore not trusted"); + return response; + } + + RequestData requestData = new RequestData(); + requestData.setSigVerCrypto(sigCrypto); + WSSConfig wssConfig = WSSConfig.getNewInstance(); + requestData.setWssConfig(wssConfig); + requestData.setCallbackHandler(callbackHandler); + requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext()); + + WSDocInfo docInfo = new WSDocInfo(validateTargetElement.getOwnerDocument()); + + // Verify the signature + Signature sig = assertion.getSignature(); + KeyInfo keyInfo = sig.getKeyInfo(); + SAMLKeyInfo samlKeyInfo = + SAMLUtil.getCredentialFromKeyInfo( + keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, docInfo), sigCrypto + ); + assertion.verifySignature(samlKeyInfo); + SecurityToken secToken = null; byte[] signatureValue = assertion.getSignatureValue(); if (tokenParameters.getTokenStore() != null && signatureValue != null @@ -169,29 +192,6 @@ public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParame } if (secToken == null) { - if (!assertion.isSigned()) { - LOG.log(Level.WARNING, "The received assertion is not signed, and therefore not trusted"); - return response; - } - - RequestData requestData = new RequestData(); - requestData.setSigVerCrypto(sigCrypto); - WSSConfig wssConfig = WSSConfig.getNewInstance(); - requestData.setWssConfig(wssConfig); - requestData.setCallbackHandler(callbackHandler); - requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext()); - - WSDocInfo docInfo = new WSDocInfo(validateTargetElement.getOwnerDocument()); - - // Verify the signature - Signature sig = assertion.getSignature(); - KeyInfo keyInfo = sig.getKeyInfo(); - SAMLKeyInfo samlKeyInfo = - SAMLUtil.getCredentialFromKeyInfo( - keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, docInfo), sigCrypto - ); - assertion.verifySignature(samlKeyInfo); - // Validate the assertion against schemas/profiles validateAssertion(assertion); @@ -211,7 +211,6 @@ public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParame if (!certConstraints.matches(cert)) { return response; } - } // Parse roles from the validated token
services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java+49 −1 modified@@ -34,6 +34,7 @@ import org.w3c.dom.Document; import org.w3c.dom.Element; + import org.apache.cxf.jaxws.context.WebServiceContextImpl; import org.apache.cxf.jaxws.context.WrappedMessageContext; import org.apache.cxf.message.MessageImpl; @@ -425,6 +426,53 @@ public void testSAML2AssertionWithRolesCaching() throws Exception { assertTrue(roles.iterator().next().getName().equals("employee")); } + /** + * Test an invalid SAML 2 Assertion + */ + @org.junit.Test + public void testInvalidSAML2Assertion() throws Exception { + TokenValidator samlTokenValidator = new SAMLTokenValidator(); + TokenValidatorParameters validatorParameters = createValidatorParameters(); + TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); + + // Create a ValidateTarget consisting of a SAML Assertion + Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); + CallbackHandler callbackHandler = new PasswordCallbackHandler(); + Element samlToken = + createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler); + Document doc = samlToken.getOwnerDocument(); + samlToken = (Element)doc.appendChild(samlToken); + + ReceivedToken validateTarget = new ReceivedToken(samlToken); + tokenRequirements.setValidateTarget(validateTarget); + validatorParameters.setToken(validateTarget); + + assertTrue(samlTokenValidator.canHandleToken(validateTarget)); + + TokenValidatorResponse validatorResponse = + samlTokenValidator.validateToken(validatorParameters); + assertTrue(validatorResponse != null); + assertTrue(validatorResponse.getToken() != null); + assertTrue(validatorResponse.getToken().getState() == STATE.VALID); + + // Replace "alice" with "bob". + Element nameID = + (Element)samlToken.getElementsByTagNameNS(WSConstants.SAML2_NS, "NameID").item(0); + nameID.setTextContent("bob"); + + // Now validate again + validateTarget = new ReceivedToken(samlToken); + tokenRequirements.setValidateTarget(validateTarget); + validatorParameters.setToken(validateTarget); + + assertTrue(samlTokenValidator.canHandleToken(validateTarget)); + + validatorResponse = samlTokenValidator.validateToken(validatorParameters); + assertTrue(validatorResponse != null); + assertTrue(validatorResponse.getToken() != null); + assertTrue(validatorResponse.getToken().getState() != STATE.VALID); + } + private TokenValidatorParameters createValidatorParameters() throws WSSecurityException { TokenValidatorParameters parameters = new TokenValidatorParameters(); @@ -627,5 +675,5 @@ public void handle(Callback[] callbacks) throws IOException, } } - + }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
24- svn.apache.org/viewvcnvdPatchWEB
- cxf.apache.org/security-advisories.data/CVE-2014-0034.txt.ascnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-38x2-fp9m-87mxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-0034ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2014-0797.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0798.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0799.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-1351.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-0850.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-0851.htmlnvdWEB
- github.com/apache/cxf/commit/b4b9a010bb23059251400455afabddee15b46127ghsaWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3EghsaWEB
- www.securityfocus.com/bid/68441nvd
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3Envd
News mentions
0No linked articles in our index yet.