Bug 781041 (SOA-3527)

Summary: Update Oracle OpenSSO (opensso.war/opensso.jar) to address CVE-2011-3506 & CVE-2011-3517
Product: [JBoss] JBoss Enterprise SOA Platform 5 Reporter: David Jorm <djorm>
Component: ExamplesAssignee: kconner
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2.0.ER5CC: jcoleman, mjc
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-3527
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-01 05:33:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 784321, 787847    

Description David Jorm 2011-10-28 04:05:02 UTC 
project_key: SOA

Targeting the next release after 5.2.0:

Oracle OpenSSO 7.1 and 8.0 expose an unspecified vulnerability in the authentication component, allowing attackers to manipulate certain data (CVE-2011-3506).

Oracle OpenSSO 8.0 exposes an unspecified vulnerability in the authentication component, allowing a remote attacker to perform a denial of service (CVE-2011-3517).

Please update Oracle OpenSSO as included in the quickstarts to address these vulnerabilities.
Comment 1 Julian Coleman 2012-02-21 16:18:30 UTC 
Oracle has released OpenSSO 8 update 2, but this is only available to Oracle subscribers:

  http://wesunsolve.net/patch/id/141655-08
Comment 3 David Jorm 2013-03-01 05:33:46 UTC 
The opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0  to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.