Bug 826534 - (CVE-2012-2379) CVE-2012-2379 jbossws-cxf, apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token
CVE-2012-2379 jbossws-cxf, apache-cxf: Apache CXF does not verify that elemen...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120607,repo...
: Security
Depends On: 827797 827798 827799 846244 846246 846247 882283
Blocks: 789173 826535 849517 874925 879071 879083 881519 1028865
  Show dependency treegraph
 
Reported: 2012-05-30 08:52 EDT by Jan Lieskovsky
Modified: 2013-11-11 00:39 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-24 17:50:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-05-30 08:52:50 EDT
A flaw was found in the way Apache CXF verifies that XML elements were signed or encrypted by a particular Supporting Token. CXF checks to ensure these elements are signed or encrypted by a Supporting Token, but not whether the correct token is used. A remote attacker could use this flaw to transmit confidential information without the appropriate security, and potentially to circumvent access controls on web services exposed via CXF.
Comment 5 Vincent Danen 2012-06-07 12:27:51 EDT
This has been corrected upstream in versions 2.4.8, 2.5.4, and 2.6.1:

http://svn.apache.org/viewvc?rev=1338219&view=rev

External Reference:

http://cxf.apache.org/cve-2012-2379.html
Comment 7 David Jorm 2012-08-07 05:00:26 EDT
Created jbossws-cxf tracking bugs for this issue

Affects: fedora-17 [bug 846247]
Comment 8 Murray McAllister 2012-10-11 00:09:00 EDT
Acknowledgements:

Red Hat would like to thank the Apache CXF project for reporting this issue.
Comment 9 errata-xmlrpc 2012-12-12 19:32:32 EST
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2012:1573 https://rhn.redhat.com/errata/RHSA-2012-1573.html
Comment 10 errata-xmlrpc 2012-12-12 19:32:36 EST
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.0

Via RHSA-2012:1559 https://rhn.redhat.com/errata/RHSA-2012-1559.html
Comment 11 errata-xmlrpc 2012-12-18 17:21:30 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html
Comment 12 errata-xmlrpc 2012-12-18 17:33:04 EST
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2012:1593 https://rhn.redhat.com/errata/RHSA-2012-1593.html
Comment 13 errata-xmlrpc 2012-12-18 17:33:23 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html
Comment 14 errata-xmlrpc 2012-12-18 17:53:21 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html
Comment 15 errata-xmlrpc 2013-01-24 13:09:38 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
Comment 16 errata-xmlrpc 2013-01-24 13:32:31 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
Comment 17 errata-xmlrpc 2013-01-24 13:33:17 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
Comment 18 errata-xmlrpc 2013-01-24 13:45:33 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
Comment 19 errata-xmlrpc 2013-01-24 13:46:18 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
Comment 20 errata-xmlrpc 2013-01-24 13:58:35 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
Comment 21 errata-xmlrpc 2013-01-24 13:59:27 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
Comment 22 errata-xmlrpc 2013-01-24 14:08:30 EST
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html

Note You need to log in before you can comment on or make changes to this bug.