Bug 1196619 (CVE-2015-1796)

Summary: CVE-2015-1796 OpenSAML Java: PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, asantos, bdawidow, cdewolf, chazlett, dandread, darran.lofthouse, epp-bugs, felias, fnasser, gvarsami, hfnukal, huwang, jason.greene, jawilson, jclere, jcoleman, jdg-bugs, jolee, jpallich, kconner, ldimaggi, lgao, mgoldman, mweiler, myarboro, nwallace, pavelp, pgier, pslavice, rhq-maint, rsvoboda, rwagner, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: OpenSAML Java 2.6.5 Doc Type: Bug Fix
Doc Text:
It was found that PKIX trust components allowed an X.509 credential to be trusted if no trusted names were available for the entityID. An attacker could use a certificate issued by a shibmd:KeyAuthority trust anchor to impersonate an entity within the scope of that keyAuthority.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-20 19:39:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1196628, 1201533, 1201534, 1201535, 1201536, 1201537, 1201538, 1201539, 1201540, 1201541, 1201542, 1201543, 1201544, 1201545, 1201546, 1201547, 1201548, 1201549, 1201550    
Bug Blocks: 1196291, 1196328, 1196624, 1232965    

Description Vasyl Kaigorodov 2015-02-26 12:08:09 UTC 
A critical flaw has been discovered in the PKIX trust components that
allows an X509 credential to be trusted in the special case where no
trusted names are available for the given entityID.
See External References for the complete details.

External References:

http://shibboleth.net/community/advisories/secadv_20150225.txt
Comment 1 Vasyl Kaigorodov 2015-02-26 12:16:00 UTC 
Created opensaml-java tracking bugs for this issue:

Affects: fedora-all [bug 1196628]
Comment 5 errata-xmlrpc 2015-06-23 16:52:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss A-MQ 6.2.0

Via RHSA-2015:1177 https://rhn.redhat.com/errata/RHSA-2015-1177.html
Comment 6 errata-xmlrpc 2015-06-23 16:53:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.2.0

Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html