The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token.
cxf.apache.org/security-advisories.data/CVE-2014-0034.txt.asc
rhn.redhat.com/errata/RHSA-2014-0797.html
rhn.redhat.com/errata/RHSA-2014-0798.html
rhn.redhat.com/errata/RHSA-2014-0799.html
rhn.redhat.com/errata/RHSA-2014-1351.html
rhn.redhat.com/errata/RHSA-2015-0850.html
rhn.redhat.com/errata/RHSA-2015-0851.html
svn.apache.org/viewvc?view=revision&revision=1551228
www.securityfocus.com/bid/68441
access.redhat.com/security/updates/classification/#moderate
access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.4_Release_Notes/index.html
bugzilla.redhat.com/show_bug.cgi?id=1090473
bugzilla.redhat.com/show_bug.cgi?id=1103767
bugzilla.redhat.com/show_bug.cgi?id=1103873
bugzilla.redhat.com/show_bug.cgi?id=1104167
bugzilla.redhat.com/show_bug.cgi?id=1105592
bugzilla.redhat.com/show_bug.cgi?id=1105658
bugzilla.redhat.com/show_bug.cgi?id=1106546
bugzilla.redhat.com/show_bug.cgi?id=1106580
bugzilla.redhat.com/show_bug.cgi?id=1106583
bugzilla.redhat.com/show_bug.cgi?id=1106586
bugzilla.redhat.com/show_bug.cgi?id=1106590
bugzilla.redhat.com/show_bug.cgi?id=1109954
lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
rhn.redhat.com/errata/RHSA-2014-0798.html