Bug 1191451 (CVE-2015-0227)
Summary: | CVE-2015-0227 wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, alazarot, asantos, bdawidow, bleanhar, brms-jira, ccoleman, cdewolf, chazlett, dandread, darran.lofthouse, dmcphers, epp-bugs, etirelli, felias, fnasser, grocha, gvarsami, hfnukal, huwang, jason.greene, jawilson, jbpapp-maint, jcoleman, jdetiber, jdg-bugs, jgarriso, jialiu, jkeck, jokerman, jolee, jpallich, kconner, kseifried, ldimaggi, lgao, lmeyer, lpetrovi, mbaluch, mmccomas, mweiler, mwinkler, myarboro, nwallace, pavelp, pgier, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | wss4j 1.6.17, wss4j 2.0.2 | Doc Type: | Bug Fix |
Doc Text: |
It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property via XML Signature wrapping attacks. A remote attacker could use this flaw to modify the contents of a signed request.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-12 21:26:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1191455, 1196877, 1196878, 1196879, 1196880, 1196881, 1196882, 1196883, 1196884, 1196885, 1196886, 1196887, 1196888, 1196890, 1196892, 1196893, 1196894, 1196895, 1196896, 1196897, 1207497, 1207498, 1207499 | ||
Bug Blocks: | 1191452, 1206755, 1212496, 1232965, 1258580, 1258582 |
Description
Vasyl Kaigorodov
2015-02-11 10:51:30 UTC
Created wss4j tracking bugs for this issue: Affects: fedora-all [bug 1191455] This issue has been addressed in the following products: Red Hat JBoss Data Grid 6.4 Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.0 Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html This issue has been addressed in the following products: Red Hat JBoss A-MQ 6.2.0 Via RHSA-2015:1177 https://rhn.redhat.com/errata/RHSA-2015-1177.html This issue has been addressed in the following products: Red Hat JBoss Fuse 6.2.0 Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html |