wid-sec-w-2022-2316
Vulnerability from csaf_certbund
Published
2022-12-13 23:00
Modified
2024-11-24 23:00
Summary
Apache CXF: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Apache CXF ist ein Open Source-Web Service-Framework.
Angriff
Ein entfernter Angreifer kann mehrere Schwachstellen in Apache CXF ausnutzen, um Informationen offenzulegen und um SSRF-Angriffe durchzuführen.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Apache CXF ist ein Open Source-Web Service-Framework.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter Angreifer kann mehrere Schwachstellen in Apache CXF ausnutzen, um Informationen offenzulegen und um SSRF-Angriffe durchzuführen.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-2316 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2316.json", }, { category: "self", summary: "WID-SEC-2022-2316 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2316", }, { category: "external", summary: "Apache CXF Security Advisory vom 2022-12-13", url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46363.txt", }, { category: "external", summary: "Apache CXF Security Advisory vom 2022-12-13", url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:0163 vom 2023-01-12", url: "https://access.redhat.com/errata/RHSA-2023:0163", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:0164 vom 2023-01-12", url: "https://access.redhat.com/errata/RHSA-2023:0164", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:0483 vom 2023-01-27", url: "https://access.redhat.com/errata/RHSA-2023:0483", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:0544 vom 2023-01-30", url: "https://access.redhat.com/errata/RHSA-2023:0544", }, { category: "external", summary: "IBM Security Bulletin 6953767 vom 2023-02-08", url: "https://www.ibm.com/support/pages/node/6953767", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1047 vom 2023-03-02", url: "https://access.redhat.com/errata/RHSA-2023:1047", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1045 vom 2023-03-02", url: "https://access.redhat.com/errata/RHSA-2023:1045", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1044 vom 2023-03-02", url: "https://access.redhat.com/errata/RHSA-2023:1044", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1043 vom 2023-03-02", url: "https://access.redhat.com/errata/RHSA-2023:1043", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1049 vom 2023-03-02", url: "https://access.redhat.com/errata/RHSA-2023:1049", }, { category: "external", summary: "IBM Security Bulletin 6962805 vom 2023-03-10", url: "https://www.ibm.com/support/pages/node/6962805", }, { category: "external", summary: "PDFreactor Changelog version 11.6.3 vom 2023-03-07", url: "https://www.pdfreactor.com/product/changelog.htm", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1286 vom 2023-03-16", url: "https://access.redhat.com/errata/RHSA-2023:1286", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1285 vom 2023-03-16", url: "https://access.redhat.com/errata/RHSA-2023:1285", }, { category: "external", summary: "IBM Security Bulletin 6967571 vom 2023-03-31", url: "https://www.ibm.com/support/pages/node/6967571", }, { category: "external", summary: "IBM Security Bulletin 6987357 vom 2023-04-30", url: "https://www.ibm.com/support/pages/node/6987357", }, { category: "external", summary: "IBM Security Bulletin 6987353 vom 2023-04-30", url: "https://www.ibm.com/support/pages/node/6987353", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3641 vom 2023-06-15", url: "https://access.redhat.com/errata/RHSA-2023:3641", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3906 vom 2023-06-28", url: "https://access.redhat.com/errata/RHSA-2023:3906", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3954 vom 2023-06-29", url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:2135 vom 2024-02-19", url: "https://access.redhat.com/errata/RHSA-2023:2135", }, { category: "external", summary: "IBM Security Bulletin 7108820 vom 2024-01-18", url: "https://www.ibm.com/support/pages/node/7108820", }, { category: "external", summary: "IBM Security Bulletin 7068195 vom 2023-11-07", url: "https://www.ibm.com/support/pages/node/7068195", }, { category: "external", summary: "IBM Security Bulletin 7174108 vom 2024-10-25", url: "https://www.ibm.com/support/pages/node/7174108", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10208 vom 2024-11-25", url: "https://access.redhat.com/errata/RHSA-2024:10208", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10207 vom 2024-11-25", url: "https://access.redhat.com/errata/RHSA-2024:10207", }, ], source_lang: "en-US", title: "Apache CXF: Mehrere Schwachstellen", tracking: { current_release_date: "2024-11-24T23:00:00.000+00:00", generator: { date: "2024-11-25T09:15:43.013+00:00", engine: { name: "BSI-WID", version: "1.3.8", }, }, id: "WID-SEC-W-2022-2316", initial_release_date: "2022-12-13T23:00:00.000+00:00", revision_history: [ { date: "2022-12-13T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-01-12T23:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-01-26T23:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-01-30T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-02-08T23:00:00.000+00:00", number: "5", summary: "Neue Updates von IBM aufgenommen", }, { date: "2023-03-01T23:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-03-12T23:00:00.000+00:00", number: "7", summary: "Neue Updates von IBM aufgenommen", }, { date: "2023-03-14T23:00:00.000+00:00", number: "8", summary: "Neue Updates aufgenommen", }, { date: "2023-03-16T23:00:00.000+00:00", number: "9", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-03-28T22:00:00.000+00:00", number: "10", summary: "Versionen von IBM WebSphere Application Server Liberty ergänzt", }, { date: "2023-04-02T22:00:00.000+00:00", number: "11", summary: "Neue Updates von IBM aufgenommen", }, { date: "2023-05-01T22:00:00.000+00:00", number: "12", summary: "Neue Updates von IBM und IBM-APAR aufgenommen", }, { date: "2023-06-15T22:00:00.000+00:00", number: "13", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-28T22:00:00.000+00:00", number: "14", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-29T22:00:00.000+00:00", number: "15", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-11-07T23:00:00.000+00:00", number: "16", summary: "Neue Updates von IBM aufgenommen", }, { date: "2024-01-17T23:00:00.000+00:00", number: "17", summary: "Neue Updates von IBM aufgenommen", }, { date: "2024-02-19T23:00:00.000+00:00", number: "18", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-10-24T22:00:00.000+00:00", number: "19", summary: "Neue Updates von IBM aufgenommen", }, { date: "2024-11-24T23:00:00.000+00:00", number: "20", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "20", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version_range", name: "<3.5.5", product: { name: "Apache CXF <3.5.5", product_id: "T025594", }, }, { category: "product_version", name: "3.5.5", product: { name: "Apache CXF 3.5.5", product_id: "T025594-fixed", product_identification_helper: { cpe: "cpe:/a:apache:cxf:3.5.5", }, }, }, { category: "product_version_range", name: "<3.4.10", product: { name: "Apache CXF <3.4.10", product_id: "T025595", }, }, { category: "product_version", name: "3.4.10", product: { name: "Apache CXF 3.4.10", product_id: "T025595-fixed", product_identification_helper: { cpe: "cpe:/a:apache:cxf:3.4.10", }, }, }, ], category: "product_name", name: "CXF", }, ], category: "vendor", name: "Apache", }, { branches: [ { category: "product_name", name: "IBM Business Automation Workflow", product: { name: "IBM Business Automation Workflow", product_id: "T019704", product_identification_helper: { cpe: "cpe:/a:ibm:business_automation_workflow:-", }, }, }, { category: "product_name", name: "IBM InfoSphere Guardium", product: { name: "IBM InfoSphere Guardium", product_id: "T002366", product_identification_helper: { cpe: "cpe:/a:ibm:infosphere_guardium:-", }, }, }, { branches: [ { category: "product_version", name: "Key Lifecycle Manager 4.1.1", product: { name: "IBM Security Guardium Key Lifecycle Manager 4.1.1", product_id: "T021015", product_identification_helper: { cpe: "cpe:/a:ibm:security_guardium:key_lifecycle_manager_4.1.1", }, }, }, { category: "product_version", name: "Key Lifecycle Manager 4.2", product: { name: "IBM Security Guardium Key Lifecycle Manager 4.2", product_id: "T027545", product_identification_helper: { cpe: "cpe:/a:ibm:security_guardium:key_lifecycle_manager_4.2", }, }, }, ], category: "product_name", name: "Security Guardium", }, { branches: [ { category: "product_version", name: "10.0.0.0-10.0.6.1", product: { name: "IBM Security Verify Access 10.0.0.0-10.0.6.1", product_id: "T031895", product_identification_helper: { cpe: "cpe:/a:ibm:security_verify_access:10.0.0.0_-_10.0.6.1", }, }, }, ], category: "product_name", name: "Security Verify Access", }, { branches: [ { category: "product_version", name: "9.1", product: { name: "IBM TXSeries 9.1", product_id: "T015903", product_identification_helper: { cpe: "cpe:/a:ibm:txseries:for_multiplatforms_9.1", }, }, }, { category: "product_version", name: "8.2", product: { name: "IBM TXSeries 8.2", product_id: "T015904", product_identification_helper: { cpe: "cpe:/a:ibm:txseries:for_multiplatforms_8.2", }, }, }, { category: "product_version", name: "8.1", product: { name: "IBM TXSeries 8.1", product_id: "T015905", product_identification_helper: { cpe: "cpe:/a:ibm:txseries:for_multiplatforms_8.1", }, }, }, ], category: "product_name", name: "TXSeries", }, { branches: [ { category: "product_version_range", name: "<6.2.0.5", product: { name: "IBM Tivoli Business Service Manager <6.2.0.5", product_id: "T027560", }, }, { category: "product_version", name: "6.2.0.5", product: { name: "IBM Tivoli Business Service Manager 6.2.0.5", product_id: "T027560-fixed", product_identification_helper: { cpe: "cpe:/a:ibm:tivoli_business_service_manager:6.2.0.5", }, }, }, ], category: "product_name", name: "Tivoli Business Service Manager", }, { branches: [ { category: "product_version", name: "liberty 17.0.0.3-23.0.0.1", product: { name: "IBM WebSphere Application Server liberty 17.0.0.3-23.0.0.1", product_id: "T026976", product_identification_helper: { cpe: "cpe:/a:ibm:websphere_application_server:liberty_17.0.0.3_-_23.0.0.1", }, }, }, ], category: "product_name", name: "WebSphere Application Server", }, ], category: "vendor", name: "IBM", }, { branches: [ { branches: [ { category: "product_version_range", name: "<11.6.3", product: { name: "RealObjects PDFreactor <11.6.3", product_id: "T026775", }, }, { category: "product_version", name: "11.6.3", product: { name: "RealObjects PDFreactor 11.6.3", product_id: "T026775-fixed", product_identification_helper: { cpe: "cpe:/a:realobjects:pdfreactor:11.6.3", }, }, }, ], category: "product_name", name: "PDFreactor", }, ], category: "vendor", name: "RealObjects", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, { branches: [ { category: "product_version_range", name: "<7.1.8", product: { name: "Red Hat JBoss Enterprise Application Platform <7.1.8", product_id: "T039411", }, }, { category: "product_version", name: "7.1.8", product: { name: "Red Hat JBoss Enterprise Application Platform 7.1.8", product_id: "T039411-fixed", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7.1.8", }, }, }, { category: "product_version_range", name: "<7.3.11", product: { name: "Red Hat JBoss Enterprise Application Platform <7.3.11", product_id: "T039412", }, }, { category: "product_version", name: "7.3.11", product: { name: "Red Hat JBoss Enterprise Application Platform 7.3.11", product_id: "T039412-fixed", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7.3.11", }, }, }, ], category: "product_name", name: "JBoss Enterprise Application Platform", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-46363", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in Apache CXF, wenn das \"CXFServlet\" fälschlicherweise mit den beiden Attributen \"static-resources-list\" und \"redirect-query-check\" konfiguriert ist. Ein Angreifer kann dies ausnutzen, um ein Verzeichnis-Listing und Programmcode offenzulegen.", }, ], product_status: { known_affected: [ "T027560", "T015905", "T015904", "T015903", "T031895", "67646", "T039412", "T039411", "T021015", "T019704", "T002366", "T026775", "T027545", "T025594", "T025595", ], }, release_date: "2022-12-13T23:00:00.000+00:00", title: "CVE-2022-46363", }, { cve: "CVE-2022-46364", notes: [ { category: "description", text: "In Apache CXF wurde eine SSRF-Schwachstelle entdeckt. Dies ist auf einen Fehler beim Parsen des \"href\"-Attributs von \"XOP:Include\" in \"MTOM\"-Anfragen zurückzuführen. Ein Angreifer kann dies ausnutzen, um SSRF-ähnliche Angriffe auf Webservices durchzuführen, die mindestens einen Parameter eines beliebigen Typs annehmen.", }, ], product_status: { known_affected: [ "T027560", "T015905", "T015904", "T015903", "T031895", "67646", "T039412", "T039411", "T021015", "T019704", "T026976", "T002366", "T026775", "T027545", "T025594", "T025595", ], }, release_date: "2022-12-13T23:00:00.000+00:00", title: "CVE-2022-46364", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.