Bug 2246070 (CVE-2023-44483) - CVE-2023-44483 santuario: Private Key disclosure in debug-log output
Summary: CVE-2023-44483 santuario: Private Key disclosure in debug-log output
Keywords:
Status: NEW
Alias: CVE-2023-44483
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2246071 2246072 2260292 2260293
Blocks: 2245905
TreeView+ depends on / blocked
 
Reported: 2023-10-25 09:06 UTC by ybuenos
Modified: 2024-04-30 23:00 UTC (History)
50 users (show)

Fixed In Version: santuario 2.2.6, santuario 2.3.4, santuario 3.0.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0710 0 None None None 2024-02-06 19:53:06 UTC
Red Hat Product Errata RHSA-2024:0711 0 None None None 2024-02-06 19:54:56 UTC
Red Hat Product Errata RHSA-2024:0712 0 None None None 2024-02-06 19:52:03 UTC
Red Hat Product Errata RHSA-2024:0714 0 None None None 2024-02-06 19:55:44 UTC
Red Hat Product Errata RHSA-2024:0789 0 None None None 2024-02-12 16:02:08 UTC
Red Hat Product Errata RHSA-2024:0798 0 None None None 2024-02-13 16:53:37 UTC
Red Hat Product Errata RHSA-2024:0799 0 None None None 2024-02-13 16:52:41 UTC
Red Hat Product Errata RHSA-2024:0800 0 None None None 2024-02-13 16:53:09 UTC
Red Hat Product Errata RHSA-2024:0801 0 None None None 2024-02-13 16:54:28 UTC
Red Hat Product Errata RHSA-2024:0804 0 None None None 2024-02-13 17:08:12 UTC

Description ybuenos 2023-10-25 09:06:09 UTC 
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.


https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55
http://www.openwall.com/lists/oss-security/2023/10/20/5
Comment 1 ybuenos 2023-10-25 09:06:28 UTC 
Created xml-security-c tracking bugs for this issue:

Affects: epel-all [bug 2246071]
Affects: fedora-all [bug 2246072]
Comment 3 Dhananjay Arunesh 2024-01-25 04:28:14 UTC 
Created xml-security-c tracking bugs for this issue:

Affects: epel-all [bug 2260292]
Affects: fedora-all [bug 2260293]
Comment 7 errata-xmlrpc 2024-02-06 19:52:01 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2024:0712 https://access.redhat.com/errata/RHSA-2024:0712
Comment 8 errata-xmlrpc 2024-02-06 19:53:03 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2024:0710 https://access.redhat.com/errata/RHSA-2024:0710
Comment 9 errata-xmlrpc 2024-02-06 19:54:53 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2024:0711 https://access.redhat.com/errata/RHSA-2024:0711
Comment 10 errata-xmlrpc 2024-02-06 19:55:41 UTC 
This issue has been addressed in the following products:

  EAP 7.4.15

Via RHSA-2024:0714 https://access.redhat.com/errata/RHSA-2024:0714
Comment 11 errata-xmlrpc 2024-02-12 16:02:06 UTC 
This issue has been addressed in the following products:

  RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)

Via RHSA-2024:0789 https://access.redhat.com/errata/RHSA-2024:0789
Comment 12 errata-xmlrpc 2024-02-13 16:52:37 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2024:0799 https://access.redhat.com/errata/RHSA-2024:0799
Comment 13 errata-xmlrpc 2024-02-13 16:53:06 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2024:0800 https://access.redhat.com/errata/RHSA-2024:0800
Comment 14 errata-xmlrpc 2024-02-13 16:53:34 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2024:0798 https://access.redhat.com/errata/RHSA-2024:0798
Comment 15 errata-xmlrpc 2024-02-13 16:54:24 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:0801 https://access.redhat.com/errata/RHSA-2024:0801
Comment 16 errata-xmlrpc 2024-02-13 17:08:09 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2024:0804 https://access.redhat.com/errata/RHSA-2024:0804
Comment 17 Paramvir jindal 2024-04-03 04:00:46 UTC 
Marking EAP-8 as not affected because EAP 8 GA was released with the fixed version.
Note You need to log in before you can comment on or make changes to this bug.