Bug 865168 (CVE-2012-5351) - CVE-2012-5351 axis2: vulnerable to authentication bypass and forged messages due to a Signature exclusion attack
Summary: CVE-2012-5351 axis2: vulnerable to authentication bypass and forged messages ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2012-5351
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 919325
Blocks: 755067
TreeView+ depends on / blocked
 
Reported: 2012-10-10 22:24 UTC by Vincent Danen
Modified: 2021-02-23 13:40 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-08 05:45:23 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2012-10-10 22:24:50 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5351 to
the following vulnerability:

Name: CVE-2012-5351
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5351
Assigned: 20121009
Reference: http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf

Apache Axis2 allows remote attackers to forge messages and bypass
authentication via a SAML assertion that lacks a Signature element,
aka a "Signature exclusion attack," a different vulnerability than
CVE-2012-4418.

Comment 1 Garrett Holmstrom 2012-10-11 04:32:30 UTC
This bug's summary seems to disagree with its description about which CVE this is.  Would I be correct in assuming that the latter is the correct one, or are we facing two different bugs here?

Comment 2 David Jorm 2012-10-11 05:11:15 UTC
(In reply to comment #1)
> This bug's summary seems to disagree with its description about which CVE
> this is.  Would I be correct in assuming that the latter is the correct one,
> or are we facing two different bugs here?

Well spotted, Garrett. I have edited this bug to refer to the correct CVE ID (CVE-2012-5351).

Comment 3 David Jorm 2013-03-08 05:27:44 UTC
Created axis2 tracking bugs for this issue

Affects: fedora-17 [bug 919325]

Comment 4 David Jorm 2013-03-08 05:45:23 UTC
Statement:

Not Vulnerable. This issue does not affect the version of axis as shipped with JBoss Developer Studio 5 and 6, JBoss Enterprise Portal Platform 5.2.2 and 6.0.0, Red Hat Enterprise Linux 5 and 6, and Red Hat Enterprise Virtualization Manager 3.1.


Note You need to log in before you can comment on or make changes to this bug.