Apache CXF

A vulnerability, CVE-2017-3156, exists in Apache CXF versions up to and including 3.0.12 and 3.1.10 and impacts the OAuth2 Hawk/JOSE MAC Validation code. A threat actor could exploit this vulnerability to perform a timing attack. The NJCCIC recommends users and administrators of affected Apache CXF versions review the Apache Security Advisory and upgrade to either 3.0.13 or 3.1.11 as soon as possible.