Two new security vulnerabilities have been announced in Apache CXF. Those of you using WS-SecurityPolicy should read the announcements carefully to make sure that you are not affected. If these vulnerabilities apply to your deployment then you should upgrade to a more recent version of CXF that contains fixes for these vulnerabilities. The issues in question are:
![]()
- CVE-2012-2378 - Apache CXF does not pick up some child policies of
WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client
side. - CVE-2012-2379 - Apache CXF does not verify that elements were
signed or encrypted by a particular Supporting Token.
