ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <>
Subject [jira] [Updated] (WSS-465) Possible information leak: incremental IDs
Date Wed, 17 Jul 2013 12:14:48 GMT


Colm O hEigeartaigh updated WSS-465:

    Fix Version/s: 1.6.12
> Possible information leak: incremental IDs
> ------------------------------------------
>                 Key: WSS-465
>                 URL:
>             Project: WSS4J
>          Issue Type: Improvement
>          Components: WSS4J Core
>    Affects Versions: 1.6.9
>         Environment: CXF 2.7.3, XMLsec 1.5.3
>            Reporter: Marco Stettler
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6.12
> We had a security audit, and one of the points listed is as follow:
> The "Signature ID" and "Reference URI ID" are incremental. From this fact it can be deduced
whether and how much the service will be used. The number varies only minimally, the service
is hardly used the observed time. However, the number rises noticeably within a short time,
so the service is already under load. At such a time a DoS attack, for example, would achieve
particularly infuriating effect.
> Couldnt this IDs be randomized? Or incremental by request (not "static" in the VM)?
> What i saw in the code is, that theres already a interface "WsuIdAllocator", with a anonymous
implementation in the class "WSSConfig". But theres no proper way to override this implementation
as the extension point is missing (or i'm missing it :).

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message