Bug 865168 - (CVE-2012-5351) CVE-2012-5351 axis2: vulnerable to authentication bypass and forged messages due to a Signature exclusion attack
CVE-2012-5351 axis2: vulnerable to authentication bypass and forged messages ...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120822,repo...
: Security
Depends On: 919325
Blocks: 755067
  Show dependency treegraph
 
Reported: 2012-10-10 18:24 EDT by Vincent Danen
Modified: 2013-03-08 00:45 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-08 00:45:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-10-10 18:24:50 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5351 to
the following vulnerability:

Name: CVE-2012-5351
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5351
Assigned: 20121009
Reference: http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf

Apache Axis2 allows remote attackers to forge messages and bypass
authentication via a SAML assertion that lacks a Signature element,
aka a "Signature exclusion attack," a different vulnerability than
CVE-2012-4418.
Comment 1 Garrett Holmstrom 2012-10-11 00:32:30 EDT
This bug's summary seems to disagree with its description about which CVE this is.  Would I be correct in assuming that the latter is the correct one, or are we facing two different bugs here?
Comment 2 David Jorm 2012-10-11 01:11:15 EDT
(In reply to comment #1)
> This bug's summary seems to disagree with its description about which CVE
> this is.  Would I be correct in assuming that the latter is the correct one,
> or are we facing two different bugs here?

Well spotted, Garrett. I have edited this bug to refer to the correct CVE ID (CVE-2012-5351).
Comment 3 David Jorm 2013-03-08 00:27:44 EST
Created axis2 tracking bugs for this issue

Affects: fedora-17 [bug 919325]
Comment 4 David Jorm 2013-03-08 00:45:23 EST
Statement:

Not Vulnerable. This issue does not affect the version of axis as shipped with JBoss Developer Studio 5 and 6, JBoss Enterprise Portal Platform 5.2.2 and 6.0.0, Red Hat Enterprise Linux 5 and 6, and Red Hat Enterprise Virtualization Manager 3.1.

Note You need to log in before you can comment on or make changes to this bug.