CVE-2017-5653
Spoofing vulnerability in cxf-core (Maven)

Spoofing No known exploit Fixable By Resolved Security

What is CVE-2017-5653 About?

This vulnerability affects Apache CXF JAX-RS XML Security streaming clients, where they fail to validate the signature or encryption of service responses. This omission allows remote attackers to spoof servers by sending unvalidated responses. Exploitation requires the attacker to be in a position to intercept or manipulate network traffic, and is of moderate difficulty.

Affected Software

  • org.apache.cxf:cxf-core
    • >3.1.0, <3.1.11
    • <3.0.13

Technical Details

The vulnerability exists in Apache CXF's JAX-RS XML Security streaming clients. These clients are designed to handle XML-based security mechanisms, including signing and encryption, for messages exchanged with services. However, the flaw is that the client-side implementation does not enforce validation of whether an incoming service response was actually signed or encrypted as expected. An attacker positioned between the client and the legitimate server, or able to intercept client-server communications, can craft and send a malicious, unsigned or unencrypted response. Because the client fails to validate the security properties of the response, it will process the attacker's fabricated message as if it originated from the legitimate server, leading to server spoofing.

What is the Impact of CVE-2017-5653?

Successful exploitation may allow attackers to spoof legitimate servers, leading to unauthorized information disclosure, execution of unauthorized actions, or delivery of malicious content to unsuspecting clients.

What is the Exploitability of CVE-2017-5653?

Exploitation of this vulnerability generally requires an attacker to be in a man-in-the-middle position or have the ability to intercept and modify network traffic between the client and the server. No authentication is required on the client side to accept the spoofed response, but the attacker needs network access to the communication channel. The complexity involves crafting a malicious, unsigned or unencrypted response that the client expects to be secured. There are no specific privilege requirements for the attacker beyond network access. The absence of server response validation is the key facilitator for this vulnerability, increasing the likelihood if network interception is possible.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2017-5653?

A Fix by Resolved Security Exists!
See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

This patch fixes CVE-2017-5653 by ensuring that the XML security interceptor properly handles entity body processing when acting as a JAX-RS ReaderInterceptor, and only processes relevant HTTP methods (excluding GET requests on the server). Previously, the interceptor could be bypassed or invoked incorrectly, allowing malicious unsigned or unencrypted XML messages to be processed; the patch ensures cryptographic enforcement at the appropriate lifecycle stage, thus mitigating the vulnerability.

Available Upgrade Options

  • org.apache.cxf:cxf-core
    • <3.0.13 → Upgrade to 3.0.13
  • org.apache.cxf:cxf-core
    • >3.1.0, <3.1.11 → Upgrade to 3.1.11

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2017-5653?

Similar Vulnerabilities: CVE-2009-3555 , CVE-2014-3566 , CVE-2011-3389 , CVE-2008-5029 , CVE-2015-0205

All Rights reserved 2025
Privacy Policy