CVE-2017-3156

CWE-3857 documents6 sources

Severity

7.5HIGH

EPSS

6.5%

top 8.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF Apache Software Foundation Apache CXF

Timeline

PublishedAug 10

Latest updateMay 13

Description

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.cxf.karaf:apache-cxf3.1.0 — 3.1.10+1

▶NVDapache/cxf3.0.12+10

▶CVEListV5apache_software_foundation/apache_cxf3.1.x prior to 3.1.10, prior to 3.0.13+1

🔴Vulnerability Details

GHSA

Covert Timing Channel in Apache CXF↗2022-05-13

▶

OSV

Covert Timing Channel in Apache CXF↗2022-05-13

▶

CVEList

CVE-2017-3156: The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3↗2017-08-10

▶

📋Vendor Advisories

Red Hat

cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks↗2017-02-20

▶

💬Community

Bugzilla

CVE-2017-3156 cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks [fedora-all]↗2017-02-21

▶

Bugzilla

CVE-2017-3156 cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks↗2017-02-21

▶