Skip to main content

CVE-2017-3156

Severity

7.5

Description

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

Mitigation

We recommend upgrading to a version of this package that is not vulnerable to this specific issue.

Project

Apache TomEE

Category
Timing attack
Tags
data
Date Disclosed

2017-08-10

Date Discovered

2016-12-05

Apache TomEE 7.0.x

First release:
2016-05-17
CVEs:
100
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.7.x

First release:
2014-08-09
CVEs:
87
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.6.x

First release:
2013-11-17
CVEs:
101
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.5.x

First release:
2012-09-28
CVEs:
111
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.