Bug 754386 (CVE-2011-4314)

Summary: CVE-2011-4314 openid4java (AX extension): MITM due to improper validation of AX attribute signatures
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: brms-jira, djorm, tkirby, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-25 02:35:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 754387, 787092, 787530, 808950    

Description Jan Lieskovsky 2011-11-16 10:50:44 UTC 
A security flaw was found in the way the Attribute Exchange (AX) extension of OpenID4Java, a Java library implementing and supporting various OpenID specifications, performed validation of attribute values passed to a Java application. It was not checking to ensure that the information provided through AX was signed. If AX was being used to receive information that the application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle (MITM) attacks and compromise the integrity of this information via a specially-crafted request.

References:
[1] http://openid.net/2011/05/05/attribute-exchange-security-alert/
[2] http://secunia.com/advisories/44496/
[3] http://code.google.com/p/openid4java/source/browse/trunk/CHANGELOG?spec=svn662&r=662

Relevant upstream patch:
[4] http://code.google.com/p/openid4java/source/detail?r=661
Comment 1 Jan Lieskovsky 2011-11-16 10:58:33 UTC 
CVE request:
[5] http://www.openwall.com/lists/oss-security/2011/11/16/1
Comment 3 errata-xmlrpc 2011-12-08 19:16:38 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2011:1798 https://rhn.redhat.com/errata/RHSA-2011-1798.html
Comment 4 errata-xmlrpc 2011-12-08 19:36:56 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2011:1799 https://rhn.redhat.com/errata/RHSA-2011-1799.html
Comment 5 errata-xmlrpc 2011-12-08 19:47:32 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2011:1800 https://rhn.redhat.com/errata/RHSA-2011-1800.html
Comment 6 errata-xmlrpc 2011-12-08 19:57:52 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2011:1803 https://rhn.redhat.com/errata/RHSA-2011-1803.html
Comment 7 errata-xmlrpc 2011-12-08 19:57:58 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2011:1802 https://rhn.redhat.com/errata/RHSA-2011-1802.html
Comment 8 errata-xmlrpc 2011-12-08 20:08:44 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2011:1806 https://rhn.redhat.com/errata/RHSA-2011-1806.html
Comment 9 errata-xmlrpc 2011-12-08 20:08:51 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2011:1805 https://rhn.redhat.com/errata/RHSA-2011-1805.html
Comment 10 errata-xmlrpc 2011-12-08 20:08:56 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2011:1804 https://rhn.redhat.com/errata/RHSA-2011-1804.html
Comment 11 errata-xmlrpc 2012-03-12 16:59:33 UTC 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.2.0

Via RHSA-2012:0378 https://rhn.redhat.com/errata/RHSA-2012-0378.html
Comment 12 errata-xmlrpc 2012-04-02 19:31:05 UTC 
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.2.0

Via RHSA-2012:0441 https://rhn.redhat.com/errata/RHSA-2012-0441.html
Comment 13 errata-xmlrpc 2012-04-25 02:11:54 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.1

Via RHSA-2012:0519 https://rhn.redhat.com/errata/RHSA-2012-0519.html