Bug 856755 (CVE-2012-4418) - CVE-2012-4418 axis2: vulnerable to XML signature wrapping attacks
Summary: CVE-2012-4418 axis2: vulnerable to XML signature wrapping attacks
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2012-4418
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 919325
Blocks: 755067
TreeView+ depends on / blocked
 
Reported: 2012-09-12 18:11 UTC by Jan Lieskovsky
Modified: 2021-02-23 13:52 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-08 05:37:49 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2012-09-12 18:11:25 UTC 
Apache Axis2, a web services, SOAP, and WSDL engine allows remote attackers to forge messages and bypass authentication via "XML Signature wrapping attack".

References:
[1] http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1411
[3] https://bugzilla.novell.com/show_bug.cgi?id=779901
Comment 1 Vincent Danen 2012-10-10 22:25:24 UTC 
See also bug #865168 (CVE-2012-5158).
Comment 2 David Jorm 2013-03-08 05:28:26 UTC 
Created axis2 tracking bugs for this issue

Affects: fedora-17 [bug 919325]
Comment 3 David Jorm 2013-03-08 05:37:49 UTC 
Statement:

Not Vulnerable. This issue does not affect the version of axis as shipped with JBoss Developer Studio 5 and 6, JBoss Enterprise Portal Platform 5.2.2 and 6.0.0, Red Hat Enterprise Linux 5 and 6, and Red Hat Enterprise Virtualization Manager 3.1.
Note You need to log in before you can comment on or make changes to this bug.