Moderate severityNVD Advisory· Published Jul 7, 2014· Updated May 6, 2026
CVE-2014-0035
CVE-2014-0035
Description
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-coreMaven | < 2.6.13 | 2.6.13 |
org.apache.cxf:cxf-coreMaven | >= 2.7.0, < 2.7.10 | 2.7.10 |
Affected products
1Patches
22d2fd1bf67dcMerged revisions 1564731 via git cherry-pick from
5 files changed · +108 −1
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java+1 −1 modified@@ -262,7 +262,7 @@ private void doEncryptBeforeSign() { this.addDerivedKeyElement(secondRefList); } else if (!secondEncrParts.isEmpty()) { //Encrypt, get hold of the ref list and add it - secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, encrParts); + secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts); this.addDerivedKeyElement(secondRefList); } }
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java+23 −0 modified@@ -338,6 +338,29 @@ public void testAsymmetricUsernameToken() throws Exception { bus.shutdown(true); } + @org.junit.Test + public void testSymmetricUsernameToken() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = X509TokenTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSymmetricUsernameTokenPort"); + DoubleItPortType x509Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(x509Port, PORT); + + x509Port.doubleIt(25); + + ((java.io.Closeable)x509Port).close(); + bus.shutdown(true); + } + @org.junit.Test public void testSymmetricProtectTokens() throws Exception {
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml+11 −0 modified@@ -236,6 +236,17 @@ </jaxws:properties> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricUsernameTokenPort" createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + <entry key="ws-security.encryption.username" value="bob"/> + <entry key="ws-security.username" value="alice"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </jaxws:properties> + </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricProtectTokensPort" createdFromAPI="true"> <jaxws:properties>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl+64 −0 modified@@ -258,6 +258,24 @@ </wsdl:fault> </wsdl:operation> </wsdl:binding> + <wsdl:binding name="DoubleItSymmetricUsernameTokenBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItSymmetricUsernameTokenPolicy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction=""/> + <wsdl:input> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault"/> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> <wsdl:binding name="DoubleItSymmetricProtectTokensBinding" type="tns:DoubleItPortType"> <wsp:PolicyReference URI="#DoubleItSymmetricProtectTokensPolicy" /> <soap:binding style="document" @@ -469,6 +487,9 @@ binding="tns:DoubleItAsymmetricUsernameTokenBinding"> <soap:address location="http://localhost:9001/DoubleItX509AsymmetricUsernameToken" /> </wsdl:port> + <wsdl:port name="DoubleItSymmetricUsernameTokenPort" binding="tns:DoubleItSymmetricUsernameTokenBinding"> + <soap:address location="http://localhost:9001/DoubleItX509SymmetricUsernameToken"/> + </wsdl:port> <wsdl:port name="DoubleItSymmetricProtectTokensPort" binding="tns:DoubleItSymmetricProtectTokensBinding"> <soap:address location="http://localhost:9001/DoubleItX509SymmetricProtect" /> @@ -953,6 +974,49 @@ </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItSymmetricUsernameTokenPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> + <wsp:Policy> + <sp:WssX509V3Token11/> + <sp:RequireThumbprintReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:OnlySignEntireHeadersAndBody/> + <sp:EncryptBeforeSigning/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:SymmetricBinding> + <sp:EncryptedSupportingTokens> + <wsp:Policy> + <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssUsernameToken11/> + </wsp:Policy> + </sp:UsernameToken> + </wsp:Policy> + </sp:EncryptedSupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItSymmetricProtectTokensPolicy"> <wsp:ExactlyOne> <wsp:All>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml+9 −0 modified@@ -386,6 +386,15 @@ </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricUsernameToken" address="http://localhost:${testutil.ports.Server}/DoubleItX509SymmetricUsernameToken" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricUsernameTokenPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint id="SymmetricProtectTokens" address="http://localhost:${testutil.ports.Server}/DoubleItX509SymmetricProtect"
d24972170869Another EncryptBeforeSigning fix
5 files changed · +108 −1
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java+1 −1 modified@@ -262,7 +262,7 @@ private void doEncryptBeforeSign() { this.addDerivedKeyElement(secondRefList); } else if (!secondEncrParts.isEmpty()) { //Encrypt, get hold of the ref list and add it - secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, encrParts); + secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts); this.addDerivedKeyElement(secondRefList); } }
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java+23 −0 modified@@ -442,6 +442,29 @@ public void testAsymmetricUsernameToken() throws Exception { bus.shutdown(true); } + @org.junit.Test + public void testSymmetricUsernameToken() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = X509TokenTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSymmetricUsernameTokenPort"); + DoubleItPortType x509Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(x509Port, PORT); + + x509Port.doubleIt(25); + + ((java.io.Closeable)x509Port).close(); + bus.shutdown(true); + } + @org.junit.Test public void testSymmetricProtectTokens() throws Exception {
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml+11 −0 modified@@ -266,6 +266,17 @@ </jaxws:properties> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricUsernameTokenPort" createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + <entry key="ws-security.encryption.username" value="bob"/> + <entry key="ws-security.username" value="alice"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </jaxws:properties> + </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricProtectTokensPort" createdFromAPI="true"> <jaxws:properties>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl+64 −0 modified@@ -296,6 +296,24 @@ </wsdl:fault> </wsdl:operation> </wsdl:binding> + <wsdl:binding name="DoubleItSymmetricUsernameTokenBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItSymmetricUsernameTokenPolicy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction=""/> + <wsdl:input> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault"/> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> <wsdl:binding name="DoubleItSymmetricProtectTokensBinding" type="tns:DoubleItPortType"> <wsp:PolicyReference URI="#DoubleItSymmetricProtectTokensPolicy" /> <soap:binding style="document" @@ -514,6 +532,9 @@ binding="tns:DoubleItAsymmetricUsernameTokenBinding"> <soap:address location="http://localhost:9001/DoubleItX509AsymmetricUsernameToken" /> </wsdl:port> + <wsdl:port name="DoubleItSymmetricUsernameTokenPort" binding="tns:DoubleItSymmetricUsernameTokenBinding"> + <soap:address location="http://localhost:9001/DoubleItX509SymmetricUsernameToken"/> + </wsdl:port> <wsdl:port name="DoubleItSymmetricProtectTokensPort" binding="tns:DoubleItSymmetricProtectTokensBinding"> <soap:address location="http://localhost:9001/DoubleItX509SymmetricProtect" /> @@ -1086,6 +1107,49 @@ </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItSymmetricUsernameTokenPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> + <wsp:Policy> + <sp:WssX509V3Token11/> + <sp:RequireThumbprintReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:OnlySignEntireHeadersAndBody/> + <sp:EncryptBeforeSigning/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:SymmetricBinding> + <sp:EncryptedSupportingTokens> + <wsp:Policy> + <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssUsernameToken11/> + </wsp:Policy> + </sp:UsernameToken> + </wsp:Policy> + </sp:EncryptedSupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItSymmetricProtectTokensPolicy"> <wsp:ExactlyOne> <wsp:All>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml+9 −0 modified@@ -430,6 +430,15 @@ </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricUsernameToken" address="http://localhost:${testutil.ports.Server}/DoubleItX509SymmetricUsernameToken" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricUsernameTokenPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint id="SymmetricProtectTokens" address="http://localhost:${testutil.ports.Server}/DoubleItX509SymmetricProtect"
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
24- svn.apache.org/viewvcnvdPatchWEB
- cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.ascnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-v45r-rj5x-hpg2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-0035ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2014-0797.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0798.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0799.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-1351.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-0850.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-0851.htmlnvdWEB
- github.com/apache/cxf/commit/2d2fd1bf67dc2247b6aca31b83a571d865fad1c9ghsaWEB
- github.com/apache/cxf/commit/d249721708694cbb0f431c0658166ebdcb02ec15ghsaWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3Envd
News mentions
0No linked articles in our index yet.