CVE-2017-3156

Summary

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache CXFprior to 3.0.13affected
Apache Software FoundationApache CXF3.1.x prior to 3.1.10affected

Weaknesses

  • Timing attack

ADP Enrichment

CVE Program Container

Additional References

References