This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 880443 (CVE-2012-5575)

Summary: CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aneelica, asoldano, bressers, jlieskov, jrusnack, mjc, pcheung, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20130308,reported=20121115,source=researcher,cvss2=7.8/AV:N/AC:L/Au:N/C:C/I:N/A:N,eap-6/cxf=affected,epp-4/jbossws-native=affected,epp-5/jbossws-native=affected,jpp-6/cxf=affected,soap-4.3/jbossws-native=affected,soap-5/jbossws-native=affected,soap-5/cxf=affected,brms-5/jbossws-native=affected,brms-5/cxf=affected,jboss/eap-5=affected,jboss/fuse-esb-enterprise-7=affected,cwe=CWE-327
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-16 21:44:03 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 901224, 918348, 952020, 952021, 952022, 952023, 952024, 952025, 952027, 953308    
Bug Blocks: 880470, 920007, 953709, 958335, 968131, 970481    

Description David Jorm 2012-11-26 20:56:15 EST
Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky have described XML encryption backwards compatibility attacks against various frameworks, including Apache CXF. An attacker can use these flaws to force a server to utilize insecure, legacy cryptosystems when secure cryptosystems are enabled on endpoints. This could expose flaws in the underlying legacy cryptosystems, such as CVE-2011-1096 and CVE-2011-2487. This flaw also affects the jbossws-native stack.

Acknowledgements:

Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting this issue.
Comment 12 errata-xmlrpc 2013-05-20 10:32:07 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html
Comment 13 errata-xmlrpc 2013-05-20 11:25:43 EDT
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html
Comment 14 errata-xmlrpc 2013-05-20 11:39:26 EDT
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html
Comment 15 errata-xmlrpc 2013-05-28 13:41:47 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0876 https://rhn.redhat.com/errata/RHSA-2013-0876.html
Comment 16 errata-xmlrpc 2013-05-28 13:42:25 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0875 https://rhn.redhat.com/errata/RHSA-2013-0875.html
Comment 17 errata-xmlrpc 2013-05-28 13:43:03 EDT
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0874 https://rhn.redhat.com/errata/RHSA-2013-0874.html
Comment 18 errata-xmlrpc 2013-05-28 13:43:41 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0873 https://rhn.redhat.com/errata/RHSA-2013-0873.html
Comment 19 errata-xmlrpc 2013-06-12 12:44:47 EDT
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2013:0943 https://rhn.redhat.com/errata/RHSA-2013-0943.html
Comment 20 errata-xmlrpc 2013-06-18 10:49:58 EDT
This issue has been addressed in following products:

  Red Hat JBoss Portal 5.2.2

Via RHSA-2013:0953 https://rhn.redhat.com/errata/RHSA-2013-0953.html
Comment 21 errata-xmlrpc 2013-07-01 11:15:28 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2013:1006 https://rhn.redhat.com/errata/RHSA-2013-1006.html
Comment 22 errata-xmlrpc 2013-07-09 13:37:05 EDT
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0

Via RHSA-2013:1028 https://rhn.redhat.com/errata/RHSA-2013-1028.html
Comment 24 errata-xmlrpc 2013-08-07 13:39:36 EDT
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 4.3 CP05
  Red Hat JBoss Portal 4.3 CP07

Via RHSA-2013:1143 https://rhn.redhat.com/errata/RHSA-2013-1143.html
Comment 25 errata-xmlrpc 2013-10-16 12:55:46 EDT
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html