A security flaw was found in the way the Attribute Exchange (AX) extension of OpenID4Java, a Java library implementing and supporting various OpenID specifications, performed validation of attribute values passed to a Java application. It was not checking to ensure that the information provided through AX was signed. If AX was being used to receive information that the application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle (MITM) attacks and compromise the integrity of this information via a specially-crafted request. References: [1] http://openid.net/2011/05/05/attribute-exchange-security-alert/ [2] http://secunia.com/advisories/44496/ [3] http://code.google.com/p/openid4java/source/browse/trunk/CHANGELOG?spec=svn662&r=662 Relevant upstream patch: [4] http://code.google.com/p/openid4java/source/detail?r=661
CVE request: [5] http://www.openwall.com/lists/oss-security/2011/11/16/1
This issue has been addressed in following products: JBEAP 5 for RHEL 6 Via RHSA-2011:1798 https://rhn.redhat.com/errata/RHSA-2011-1798.html
This issue has been addressed in following products: JBEAP 5 for RHEL 5 Via RHSA-2011:1799 https://rhn.redhat.com/errata/RHSA-2011-1799.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 Via RHSA-2011:1800 https://rhn.redhat.com/errata/RHSA-2011-1800.html
This issue has been addressed in following products: JBEWP 5 for RHEL 5 Via RHSA-2011:1803 https://rhn.redhat.com/errata/RHSA-2011-1803.html
This issue has been addressed in following products: JBEWP 5 for RHEL 6 Via RHSA-2011:1802 https://rhn.redhat.com/errata/RHSA-2011-1802.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.1.2 Via RHSA-2011:1806 https://rhn.redhat.com/errata/RHSA-2011-1806.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.1.2 Via RHSA-2011:1805 https://rhn.redhat.com/errata/RHSA-2011-1805.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 Via RHSA-2011:1804 https://rhn.redhat.com/errata/RHSA-2011-1804.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.2.0 Via RHSA-2012:0378 https://rhn.redhat.com/errata/RHSA-2012-0378.html
This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.2.0 Via RHSA-2012:0441 https://rhn.redhat.com/errata/RHSA-2012-0441.html
This issue has been addressed in following products: JBoss Enterprise Portal Platform 5.2.1 Via RHSA-2012:0519 https://rhn.redhat.com/errata/RHSA-2012-0519.html