Bug 781041 (SOA-3527) - Update Oracle OpenSSO (opensso.war/opensso.jar) to address CVE-2011-3506 & CVE-2011-3517
Summary: Update Oracle OpenSSO (opensso.war/opensso.jar) to address CVE-2011-3506 & CV...
Keywords:
Status: CLOSED ERRATA
Alias: SOA-3527
Product: JBoss Enterprise SOA Platform 5
Classification: JBoss
Component: Examples
Version: 5.2.0.ER5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: kconner
QA Contact:
URL: http://jira.jboss.org/jira/browse/SOA...
Whiteboard:
Depends On:
Blocks: 784321 787847
TreeView+ depends on / blocked
 
Reported: 2011-10-28 04:05 UTC by David Jorm
Modified: 2014-10-21 00:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-01 05:33:46 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SOA-3527 0 Minor Closed Update Oracle OpenSSO (opensso.war/opensso.jar) to address CVE-2011-3506 & CVE-2011-3517 2013-03-07 09:17:14 UTC

Description David Jorm 2011-10-28 04:05:02 UTC 
project_key: SOA

Targeting the next release after 5.2.0:

Oracle OpenSSO 7.1 and 8.0 expose an unspecified vulnerability in the authentication component, allowing attackers to manipulate certain data (CVE-2011-3506).

Oracle OpenSSO 8.0 exposes an unspecified vulnerability in the authentication component, allowing a remote attacker to perform a denial of service (CVE-2011-3517).

Please update Oracle OpenSSO as included in the quickstarts to address these vulnerabilities.
Comment 1 Julian Coleman 2012-02-21 16:18:30 UTC 
Oracle has released OpenSSO 8 update 2, but this is only available to Oracle subscribers:

  http://wesunsolve.net/patch/id/141655-08
Comment 3 David Jorm 2013-03-01 05:33:46 UTC 
The opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0  to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.
Note You need to log in before you can comment on or make changes to this bug.