Bug 1184115 (CVE-2014-8152)

Summary: CVE-2014-8152 Apache Santuario XML Security for Java: Streaming XML Signature verification failure
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aneelica, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xmlsec 2.0.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-20 15:21:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Prpič 2015-01-20 15:20:35 UTC 
The 2.0.x series of releases of the Apache Santuario XML Security for Java library introduced support for streaming (StAX-based) XML Signature and Encryption.

It was discovered that Apache Santuario XML Security for Java did not correctly verify signatures of certain XML documents. A remote attacker could use this flaw to modify an XML document without invalidating its signature.

Please note that the "in-memory" (DOM) API for XML Signature is not affected by this issue, nor is the JSR-105 API. Also, web service stacks that use the streaming functionality of Apache Santuario (such as Apache CXF/WSS4J) are also not affected by this vulnerability.

Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1634334

External References:

http://santuario.apache.org/secadv.data/CVE-2014-8152.txt
Comment 1 Martin Prpič 2015-01-20 15:21:17 UTC 
Statement:

Not vulnerable. The 2.0.x versions of Apache Santuario XML Security for Java are not shipped in any Red Hat product as of January 2015.
Comment 2 Arun Babu Neelicattu 2015-01-21 09:29:31 UTC 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/8152.yaml