1

We use the OWASP Dependency Check to identify vulnerabilities in the dependencies of our Java project. One that is being flagged is CVE-2012-5786. According to that CVE, the issue is "in Apache CXF, possibly 2.6.0".

We are using Apache CXF 3.1.11, released April 2017. Because of how vague the CVE is about which versions are affected, we're unsure if our version of CXF is affected. We suspect not since it's five years old, but I guess we don't know for sure.

Does CVE-2012-5786 affect Apache CXF 3.1.11 (and later)?

Improve this question

1 Answer 1

Reset to default
2

What I understand from exploit article linked in cve (shmat_ccs12.pdf) : cxf is vulnerable to man in the middle attack when configured not to check certificates (disableCNCheck=true). By default it is configured to check certificates, so if you don't play with disableCNCheck (to use self signed certificate by example) you're safe regarding this cve.

Improve this answer
1
  • As of 2017-08-08, the CVE was updated so that it no longer applies to Apache CXF 3.1.11, and probably some earlier versions. No idea if this answer helped with that, but if it did, thank you!
    – Thunderforge
    Commented Aug 18, 2017 at 21:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .