Red Hat Bugzilla – Bug 1184115
CVE-2014-8152 Apache Santuario XML Security for Java: Streaming XML Signature verification failure
Last modified: 2015-02-23 13:54:15 EST
The 2.0.x series of releases of the Apache Santuario XML Security for Java library introduced support for streaming (StAX-based) XML Signature and Encryption. It was discovered that Apache Santuario XML Security for Java did not correctly verify signatures of certain XML documents. A remote attacker could use this flaw to modify an XML document without invalidating its signature. Please note that the "in-memory" (DOM) API for XML Signature is not affected by this issue, nor is the JSR-105 API. Also, web service stacks that use the streaming functionality of Apache Santuario (such as Apache CXF/WSS4J) are also not affected by this vulnerability. Upstream patch: http://svn.apache.org/viewvc?view=revision&revision=1634334 External References: http://santuario.apache.org/secadv.data/CVE-2014-8152.txt
Statement: Not vulnerable. The 2.0.x versions of Apache Santuario XML Security for Java are not shipped in any Red Hat product as of January 2015.
Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/8152.yaml