Bug 856755 (CVE-2012-4418)

Summary: CVE-2012-4418 axis2: vulnerable to XML signature wrapping attacks
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andjrobins, djorm, jrusnack, kdaniel, mgoldman, swagiaal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20120822,reported=20120910,source=researcher,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,rhel-5/axis=notaffected,rhel-6/axis=notaffected,fedora-17/axis2=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-08 00:37:49 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 919325    
Bug Blocks: 755067    

Description Jan Lieskovsky 2012-09-12 14:11:25 EDT
Apache Axis2, a web services, SOAP, and WSDL engine allows remote attackers to forge messages and bypass authentication via "XML Signature wrapping attack".

References:
[1] http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1411
[3] https://bugzilla.novell.com/show_bug.cgi?id=779901
Comment 1 Vincent Danen 2012-10-10 18:25:24 EDT
See also bug #865168 (CVE-2012-5158).
Comment 2 David Jorm 2013-03-08 00:28:26 EST
Created axis2 tracking bugs for this issue

Affects: fedora-17 [bug 919325]
Comment 3 David Jorm 2013-03-08 00:37:49 EST
Statement:

Not Vulnerable. This issue does not affect the version of axis as shipped with JBoss Developer Studio 5 and 6, JBoss Enterprise Portal Platform 5.2.2 and 6.0.0, Red Hat Enterprise Linux 5 and 6, and Red Hat Enterprise Virtualization Manager 3.1.