VYPR
Get started
← All advisories
Medium severity5.3NVD Advisory· Published Apr 18, 2017· Updated May 13, 2026

CVE-2017-5653

CVE-2017-5653

Description

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.cxf:cxf-coreMaven
>= 3.1.0, < 3.1.113.1.11
org.apache.cxf:cxf-coreMaven
< 3.0.133.0.13

Affected products

2
  • Apache/Cxf
    cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
    Range: >=3.0.0,<=3.0.13
  • Apache Software Foundation/Apache CXFv5
    Range: prior to 3.0.13

Patches

1
20d0fa3ec41c

Finalizing XmlSecInInterceptor updates

https://github.com/apache/cxfSergey BeryozkinMar 27, 2017via ghsa
commit
2 files changed · +35 62
  • rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/ClientXmlSecInInterceptor.java+0 46 removed
    @@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.xml;
-
-import java.io.IOException;
-
-import javax.ws.rs.WebApplicationException;
-import javax.ws.rs.ext.ReaderInterceptor;
-import javax.ws.rs.ext.ReaderInterceptorContext;
-
-import org.apache.cxf.jaxrs.utils.JAXRSUtils;
-import org.apache.cxf.message.Message;
-
-public class ClientXmlSecInInterceptor extends XmlSecInInterceptor implements ReaderInterceptor {
-
-    @Override
-    public Object aroundReadFrom(ReaderInterceptorContext ctx) throws IOException, WebApplicationException {
-        Message message = JAXRSUtils.getCurrentMessage();    
-        handleMessage(message);
-        Object object = ctx.proceed();
-        new StaxActionInInterceptor(super.isRequireSignature(), 
-                                    super.isRequireEncryption()).handleMessage(message);
-        return object;
-    }
-    
-    @Override
-    protected void registerStaxActionInInterceptor(Message inMsg) {
-        // complete
-    }
-}
  • rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java+35 16 modified
    @@ -34,7 +34,10 @@
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.ReaderInterceptor;
+import javax.ws.rs.ext.ReaderInterceptorContext;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamReader;
 
@@ -44,6 +47,7 @@
 import org.apache.cxf.jaxrs.utils.ExceptionUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.rs.security.common.CryptoLoader;
@@ -72,8 +76,8 @@
 /**
  * A new StAX-based interceptor for processing messages with XML Signature + Encryption content.
  */
-public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> {
-    
+public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> implements ReaderInterceptor  {
+
     private static final Logger LOG = LogUtils.getL7dLogger(XmlSecInInterceptor.class);
     
     private EncryptionProperties encryptionProperties;
@@ -94,13 +98,15 @@ public XmlSecInInterceptor() {
     }
     
     public void handleMessage(Message message) throws Fault {
-        String method = (String)message.get(Message.HTTP_REQUEST_METHOD);
-        if ("GET".equals(method)) {
+        if (isServerGet(message)) {
             return;
         }
-        
-        Message outMs = message.getExchange().getOutMessage();
-        Message inMsg = outMs == null ? message : outMs.getExchange().getInMessage();
+        prepareMessage(message);
+        message.getInterceptorChain().add(
+              new StaxActionInInterceptor(requireSignature, requireEncryption));
+    }
+    
+    private void prepareMessage(Message inMsg) throws Fault {
         
         XMLStreamReader originalXmlStreamReader = inMsg.getContent(XMLStreamReader.class);
         if (originalXmlStreamReader == null) {
@@ -110,8 +116,6 @@ public void handleMessage(Message message) throws Fault {
             }
         }
 
-        registerStaxActionInInterceptor(inMsg);
-
         try {
             XMLSecurityProperties properties = new XMLSecurityProperties();
             configureDecryptionKeys(inMsg, properties);
@@ -137,12 +141,12 @@ public void handleMessage(Message message) throws Fault {
         }
     }
 
-    protected void registerStaxActionInInterceptor(Message inMsg) {
-        inMsg.getInterceptorChain().add(
-            new StaxActionInInterceptor(requireSignature, requireEncryption));
-        
+    private boolean isServerGet(Message message) {
+        String method = (String)message.get(Message.HTTP_REQUEST_METHOD);
+        return "GET".equals(method) && !MessageUtils.isRequestor(message);
     }
 
+    
     private void configureDecryptionKeys(Message message, XMLSecurityProperties properties)
         throws IOException,
         UnsupportedCallbackException, WSSecurityException {
@@ -399,14 +403,29 @@ private Collection<Pattern> getSubjectContraints(Message msg) throws PatternSynt
         }
         return subjectDNPatterns;
     }
+
+    @Override
+    public Object aroundReadFrom(ReaderInterceptorContext ctx) throws IOException, WebApplicationException {
+        Message message = JAXRSUtils.getCurrentMessage();    
+        if (isServerGet(message)) {
+            return ctx.proceed();    
+        } else {
+            prepareMessage(message);
+            Object object = ctx.proceed();
+            new StaxActionInInterceptor(requireSignature, 
+                                        requireEncryption).handleMessage(message);
+            return object;
+        }
+        
+    }
     
     /**
      * This interceptor handles parsing the StaX results (events) + checks to see whether the 
      * required (if any) Actions (signature or encryption) were fulfilled.
      */
-    protected static class StaxActionInInterceptor extends AbstractPhaseInterceptor<Message> {
-        
-        private static final Logger LOG = 
+    private static class StaxActionInInterceptor extends AbstractPhaseInterceptor<Message> {
+
+        private static final Logger LOG =
             LogUtils.getL7dLogger(StaxActionInInterceptor.class);
                                                                 
         private final boolean signatureRequired;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

19

News mentions

0

No linked articles in our index yet.