Bug 999263 (CVE-2013-2172)

Summary: CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chazlett, jrusnack, mjc, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130625,reported=20130820,source=cve,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,eap-4/xmlsec=wontfix,epp-4/xmlsec=wontfix,soap-4.2/xmlsec=wontfix,soap-4.3/xmlsec=wontfix,eap-5/xmlsec=affected,eap-6/xmlsec=affected,brms-5/xmlsec=affected,soap-5/xmlsec=affected,jpp-6/xmlsec=affected,epp-5/xmlsec=wontfix,jon-3.1/xmlsec=affected,jboss/fuse-enterprise-esb-7=affected,jboss/fuse-6=affected,cwe=CWE-290
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-09 14:24:30 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 1000238, 1000239, 1000240, 1000241, 1000242, 1000243, 1000244    
Bug Blocks: 956239, 970481, 980700, 999265, 1004652, 1007672, 1026176, 1113315    

Description David Jorm 2013-08-21 00:13:50 EDT
IssueDescription:

A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
Comment 1 David Jorm 2013-08-21 00:30:47 EDT
This has been corrected upstream in versions 1.4.8 and 1.5.5:

http://svn.apache.org/viewvc?view=revision&revision=1493772

External Reference:

http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc
Comment 4 errata-xmlrpc 2013-09-04 14:57:27 EDT
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.1.1

Via RHSA-2013:1209 https://rhn.redhat.com/errata/RHSA-2013-1209.html
Comment 5 errata-xmlrpc 2013-09-04 15:00:27 EDT
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:1208 https://rhn.redhat.com/errata/RHSA-2013-1208.html
Comment 6 errata-xmlrpc 2013-09-04 15:05:06 EDT
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:1207 https://rhn.redhat.com/errata/RHSA-2013-1207.html
Comment 7 errata-xmlrpc 2013-09-09 12:57:47 EDT
This issue has been addressed in following products:

  Red Hat JBoss Web Platform 5.2.0

Via RHSA-2013:1220 https://rhn.redhat.com/errata/RHSA-2013-1220.html
Comment 8 errata-xmlrpc 2013-09-09 12:59:29 EDT
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:1219 https://rhn.redhat.com/errata/RHSA-2013-1219.html
Comment 9 errata-xmlrpc 2013-09-09 12:59:40 EDT
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:1218 https://rhn.redhat.com/errata/RHSA-2013-1218.html
Comment 10 errata-xmlrpc 2013-09-09 13:00:19 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:1217 https://rhn.redhat.com/errata/RHSA-2013-1217.html
Comment 11 errata-xmlrpc 2013-09-30 13:59:26 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2013:1375 https://rhn.redhat.com/errata/RHSA-2013-1375.html
Comment 12 errata-xmlrpc 2013-10-16 12:59:27 EDT
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html
Comment 13 errata-xmlrpc 2013-12-17 13:38:13 EST
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.0

Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html
Comment 14 errata-xmlrpc 2014-02-25 11:42:07 EST
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2014:0212 https://rhn.redhat.com/errata/RHSA-2014-0212.html
Comment 16 Chess Hazlett 2014-04-14 22:30:46 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html
Comment 17 errata-xmlrpc 2014-10-09 12:07:54 EDT
This issue has been addressed in the following products:

  Fuse ESB Enterprise 7.1.0
  Fuse MQ Enterprise 7.1.0

Via RHSA-2014:1369 https://rhn.redhat.com/errata/RHSA-2014-1369.html