Bug 856755 - (CVE-2012-4418) CVE-2012-4418 axis2: vulnerable to XML signature wrapping attacks
CVE-2012-4418 axis2: vulnerable to XML signature wrapping attacks
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120822,repo...
: Security
Depends On: 919325
Blocks: 755067
  Show dependency treegraph
 
Reported: 2012-09-12 14:11 EDT by Jan Lieskovsky
Modified: 2015-07-31 05:54 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-08 00:37:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-09-12 14:11:25 EDT
Apache Axis2, a web services, SOAP, and WSDL engine allows remote attackers to forge messages and bypass authentication via "XML Signature wrapping attack".

References:
[1] http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1411
[3] https://bugzilla.novell.com/show_bug.cgi?id=779901
Comment 1 Vincent Danen 2012-10-10 18:25:24 EDT
See also bug #865168 (CVE-2012-5158).
Comment 2 David Jorm 2013-03-08 00:28:26 EST
Created axis2 tracking bugs for this issue

Affects: fedora-17 [bug 919325]
Comment 3 David Jorm 2013-03-08 00:37:49 EST
Statement:

Not Vulnerable. This issue does not affect the version of axis as shipped with JBoss Developer Studio 5 and 6, JBoss Enterprise Portal Platform 5.2.2 and 6.0.0, Red Hat Enterprise Linux 5 and 6, and Red Hat Enterprise Virtualization Manager 3.1.

Note You need to log in before you can comment on or make changes to this bug.