Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 754386 - (CVE-2011-4314) CVE-2011-4314 openid4java (AX extension): MITM due to improper validation of AX attribute signatures
CVE-2011-4314 openid4java (AX extension): MITM due to improper validation of ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20110505,reported=2...
: Security
Depends On:
Blocks: 754387 787092 787530 808950
  Show dependency treegraph
 
Reported: 2011-11-16 05:50 EST by Jan Lieskovsky
Modified: 2012-04-24 22:35 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-24 22:35:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1798 normal SHIPPED_LIVE Low: JBoss Enterprise Application Platform 5.1.2 update 2011-12-08 19:15:15 EST
Red Hat Product Errata RHSA-2011:1799 normal SHIPPED_LIVE Low: JBoss Enterprise Application Platform 5.1.2 update 2011-12-08 19:35:33 EST
Red Hat Product Errata RHSA-2011:1800 normal SHIPPED_LIVE Low: JBoss Enterprise Application Platform 5.1.2 update 2011-12-08 19:45:54 EST
Red Hat Product Errata RHSA-2011:1802 normal SHIPPED_LIVE Low: JBoss Enterprise Web Platform 5.1.2 update 2011-12-08 19:56:26 EST
Red Hat Product Errata RHSA-2011:1803 normal SHIPPED_LIVE Low: JBoss Enterprise Web Platform 5.1.2 update 2011-12-08 19:56:10 EST
Red Hat Product Errata RHSA-2011:1804 normal SHIPPED_LIVE Low: JBoss Enterprise Web Platform 5.1.2 update 2011-12-08 20:07:21 EST
Red Hat Product Errata RHSA-2011:1805 normal SHIPPED_LIVE Low: JBoss Enterprise Application Platform 5.1.2 update 2011-12-08 20:07:16 EST
Red Hat Product Errata RHSA-2011:1806 normal SHIPPED_LIVE Low: JBoss Enterprise Web Platform 5.1.2 update 2011-12-08 20:07:08 EST
Red Hat Product Errata RHSA-2012:0378 normal SHIPPED_LIVE Low: JBoss Enterprise SOA Platform 5.2.0 update 2012-03-12 16:57:05 EDT
Red Hat Product Errata RHSA-2012:0441 normal SHIPPED_LIVE Moderate: JBoss Enterprise BRMS Platform 5.2.0 update 2012-04-02 19:30:04 EDT
Red Hat Product Errata RHSA-2012:0519 normal SHIPPED_LIVE Moderate: JBoss Enterprise Portal Platform 5.2.1 update 2012-04-25 02:10:00 EDT

  None (edit)
Description Jan Lieskovsky 2011-11-16 05:50:44 EST 
A security flaw was found in the way the Attribute Exchange (AX) extension of OpenID4Java, a Java library implementing and supporting various OpenID specifications, performed validation of attribute values passed to a Java application. It was not checking to ensure that the information provided through AX was signed. If AX was being used to receive information that the application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle (MITM) attacks and compromise the integrity of this information via a specially-crafted request.

References:
[1] http://openid.net/2011/05/05/attribute-exchange-security-alert/
[2] http://secunia.com/advisories/44496/
[3] http://code.google.com/p/openid4java/source/browse/trunk/CHANGELOG?spec=svn662&r=662

Relevant upstream patch:
[4] http://code.google.com/p/openid4java/source/detail?r=661
Comment 1 Jan Lieskovsky 2011-11-16 05:58:33 EST 
CVE request:
[5] http://www.openwall.com/lists/oss-security/2011/11/16/1
Comment 3 errata-xmlrpc 2011-12-08 14:16:38 EST 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2011:1798 https://rhn.redhat.com/errata/RHSA-2011-1798.html
Comment 4 errata-xmlrpc 2011-12-08 14:36:56 EST 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2011:1799 https://rhn.redhat.com/errata/RHSA-2011-1799.html
Comment 5 errata-xmlrpc 2011-12-08 14:47:32 EST 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2011:1800 https://rhn.redhat.com/errata/RHSA-2011-1800.html
Comment 6 errata-xmlrpc 2011-12-08 14:57:52 EST 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2011:1803 https://rhn.redhat.com/errata/RHSA-2011-1803.html
Comment 7 errata-xmlrpc 2011-12-08 14:57:58 EST 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2011:1802 https://rhn.redhat.com/errata/RHSA-2011-1802.html
Comment 8 errata-xmlrpc 2011-12-08 15:08:44 EST 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2011:1806 https://rhn.redhat.com/errata/RHSA-2011-1806.html
Comment 9 errata-xmlrpc 2011-12-08 15:08:51 EST 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2011:1805 https://rhn.redhat.com/errata/RHSA-2011-1805.html
Comment 10 errata-xmlrpc 2011-12-08 15:08:56 EST 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2011:1804 https://rhn.redhat.com/errata/RHSA-2011-1804.html
Comment 11 errata-xmlrpc 2012-03-12 12:59:33 EDT 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.2.0

Via RHSA-2012:0378 https://rhn.redhat.com/errata/RHSA-2012-0378.html
Comment 12 errata-xmlrpc 2012-04-02 15:31:05 EDT 
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.2.0

Via RHSA-2012:0441 https://rhn.redhat.com/errata/RHSA-2012-0441.html
Comment 13 errata-xmlrpc 2012-04-24 22:11:54 EDT 
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.1

Via RHSA-2012:0519 https://rhn.redhat.com/errata/RHSA-2012-0519.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.