CVE-2017-3156 | Vulnerability Database | Aqua Security

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

Affected Software

Name	Vendor	Start Version	End Version
Cxf	Apache	*	3.0.12 (including)
Cxf	Apache	3.1.0 (including)	3.1.0 (including)
Cxf	Apache	3.1.1 (including)	3.1.1 (including)
Cxf	Apache	3.1.2 (including)	3.1.2 (including)
Cxf	Apache	3.1.3 (including)	3.1.3 (including)
Cxf	Apache	3.1.4 (including)	3.1.4 (including)
Cxf	Apache	3.1.5 (including)	3.1.5 (including)
Cxf	Apache	3.1.6 (including)	3.1.6 (including)
Cxf	Apache	3.1.7 (including)	3.1.7 (including)
Cxf	Apache	3.1.8 (including)	3.1.8 (including)
Cxf	Apache	3.1.9 (including)	3.1.9 (including)

References

http://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc
http://www.securityfocus.com/bid/96398
https://access.redhat.com/errata/RHSA-2017:1832
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-3156
CWE	https://cwe.mitre.org/data/definitions/.html