Bug 794319 (JBEPP-1368)
Summary: | Upgrade openid4java to resolve CVE-2011-4314 | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Portal Platform 5 | Reporter: | David Jorm <djorm> |
Component: | Portal | Assignee: | hfnukal <hfnukal> |
Status: | CLOSED NEXTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.1.1.GA | CC: | djorm, jmorgan, mjc |
Target Milestone: | --- | ||
Target Release: | 5.2.1.GA | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://jira.jboss.org/jira/browse/JBEPP-1368 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=754386">CVE-2011-4314</ulink>)
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-03 14:56:13 UTC | Type: | Task |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 794459 |
Description
David Jorm
2011-11-17 05:58:59 UTC
Release Notes Docs Status: Added: Not Yet Documented Parent: Added: JBEPP-1499 Rank (Obsolete): Removed: 3380000000 Release Notes Text: Added: Upgraded with upgrade of EAP to version 5.1.2 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (CVE-2011-4314) Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (CVE-2011-4314)+It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=754386">CVE-2011-4314</ulink>) |