Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1191451 - (CVE-2015-0227) CVE-2015-0227 wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
CVE-2015-0227 wss4j: Apache WSS4J doesn't correctly enforce the requireSigned...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150210,repor...
: Security
Depends On: 1191455 1196877 1196878 1196879 1196880 1196881 1196882 1196883 1196884 1196885 1196886 1196887 1196888 1196890 1196892 1196893 1196894 1196895 1196896 1196897 1207497 1207498 1207499
Blocks: 1191452 1206755 1212496 1232965 1258580 1258582
  Show dependency treegraph
 
Reported: 2015-02-11 05:51 EST by Vasyl Kaigorodov
Modified: 2016-07-12 17:26 EDT (History)
61 users (show)

See Also:
Fixed In Version: wss4j 1.6.17, wss4j 2.0.2
Doc Type: Bug Fix
Doc Text:
It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property via XML Signature wrapping attacks. A remote attacker could use this flaw to modify the contents of a signed request.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-12 17:26:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0773 normal SHIPPED_LIVE Important: Red Hat JBoss Data Grid 6.4.1 update 2015-04-01 14:48:20 EDT
Red Hat Product Errata RHSA-2015:0846 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 16:17:12 EDT
Red Hat Product Errata RHSA-2015:0847 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 16:13:53 EDT
Red Hat Product Errata RHSA-2015:0848 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 16:26:01 EDT
Red Hat Product Errata RHSA-2015:0849 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 15:39:06 EDT
Red Hat Product Errata RHSA-2015:1176 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.2.0 update 2015-06-23 16:52:52 EDT
Red Hat Product Errata RHSA-2015:1177 normal SHIPPED_LIVE Important: Red Hat JBoss A-MQ 6.2.0 update 2015-06-23 16:52:10 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-02-11 05:51:30 EST 
Apache WSS4J has a "requireSignedEncryptedDataElements" boolean configuration property, which if set enforces that EncryptedData elements are in a signed subtree of the document. The default value of this property is "false". 
However, it is possible to circumvent this setting by various types of wrapping attacks.

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1619359
Comment 1 Vasyl Kaigorodov 2015-02-11 05:57:28 EST 
Created wss4j tracking bugs for this issue:

Affects: fedora-all [bug 1191455]
Comment 6 errata-xmlrpc 2015-04-01 10:49:14 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Data Grid 6.4

Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html
Comment 7 errata-xmlrpc 2015-04-16 11:39:45 EDT 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.0

Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html
Comment 8 errata-xmlrpc 2015-04-16 12:30:08 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html
Comment 9 errata-xmlrpc 2015-04-16 12:32:33 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html
Comment 10 errata-xmlrpc 2015-04-16 12:35:07 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html
Comment 11 errata-xmlrpc 2015-06-23 12:52:37 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss A-MQ 6.2.0

Via RHSA-2015:1177 https://rhn.redhat.com/errata/RHSA-2015-1177.html
Comment 12 errata-xmlrpc 2015-06-23 12:53:37 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.2.0

Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.