apache cxf CVE-2019-12423 in Apache and Oracle Products
Published on January 16, 2020

product logo product logo
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all.

NVD


Products Associated with CVE-2019-12423

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-12423 are published in these products:

Apache CXF
 
Oracle Commerce Guided Search
 
Oracle Communications Diameter Signaling Router
 
Oracle Communications Element Manager
 
Oracle Communications Session Report Manager
 
Oracle Communications Session Route Manager
 
Oracle Flexcube Private Banking
 
Oracle Retail Order Broker
 

Affected Versions

Apache CXF Version All versions of Apache CXF prior to 3.3.5 and 3.2.12. is affected by CVE-2019-12423

Exploit Probability

EPSS
1.16%
Percentile
78.33%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.