Apache Axis2, a web services, SOAP, and WSDL engine allows remote attackers to forge messages and bypass authentication via "XML Signature wrapping attack". References: [1] http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1411 [3] https://bugzilla.novell.com/show_bug.cgi?id=779901
See also bug #865168 (CVE-2012-5158).
Created axis2 tracking bugs for this issue Affects: fedora-17 [bug 919325]
Statement: Not Vulnerable. This issue does not affect the version of axis as shipped with JBoss Developer Studio 5 and 6, JBoss Enterprise Portal Platform 5.2.2 and 6.0.0, Red Hat Enterprise Linux 5 and 6, and Red Hat Enterprise Virtualization Manager 3.1.