Bug 794319 (JBEPP-1368) - Upgrade openid4java to resolve CVE-2011-4314
Summary: Upgrade openid4java to resolve CVE-2011-4314
Keywords:
Status: CLOSED NEXTRELEASE
Alias: JBEPP-1368
Product: JBoss Enterprise Portal Platform 5
Classification: JBoss
Component: Portal
Version: 5.1.1.GA
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 5.2.1.GA
Assignee: hfnukal@redhat.com
QA Contact:
URL: http://jira.jboss.org/jira/browse/JBE...
Whiteboard:
Depends On:
Blocks: JBEPP-1499
TreeView+ depends on / blocked
 
Reported: 2011-11-17 05:58 UTC by David Jorm
Modified: 2014-10-21 00:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=754386">CVE-2011-4314</ulink>)
Clone Of:
Environment:
Last Closed: 2012-02-03 14:56:13 UTC
Type: Task
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEPP-1368 0 None Closed Upgrade openid4java to resolve CVE-2011-4314 2012-05-11 12:21:43 UTC

Description David Jorm 2011-11-17 05:58:59 UTC 
project_key: JBEPP

EAP 5.1.2 has upgraded the openid4java component to resolve CVE-2011-4314. For details, see JBPAPP-7139. Please ensure that this upgrade is inherited in the next release based on EAP 5.1.2.
Comment 1 Thomas Heute 2011-11-17 07:08:06 UTC 
Release Notes Docs Status: Added: Not Yet Documented
Comment 2 hfnukal@redhat.com 2012-02-02 09:54:20 UTC 
Parent: Added: JBEPP-1499
Rank (Obsolete): Removed: 3380000000
Comment 3 hfnukal@redhat.com 2012-02-03 14:56:13 UTC 
Release Notes Text: Added: Upgraded with upgrade of EAP to version 5.1.2
Comment 6 Jared MORGAN 2012-03-22 03:58:25 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (CVE-2011-4314)
Comment 7 Jared MORGAN 2012-04-11 03:31:53 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (CVE-2011-4314)+It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=754386">CVE-2011-4314</ulink>)
Note You need to log in before you can comment on or make changes to this bug.