This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 880443 - (CVE-2012-5575) CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks
CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwar...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130308,repo...
: Security
Depends On: 901224 918348 952020 952021 952022 952023 952024 952025 952027 953308
Blocks: 880470 920007 953709 958335 968131 970481
  Show dependency treegraph
 
Reported: 2012-11-26 20:56 EST by David Jorm
Modified: 2015-07-31 06:21 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-16 21:44:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Jorm 2012-11-26 20:56:15 EST
Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky have described XML encryption backwards compatibility attacks against various frameworks, including Apache CXF. An attacker can use these flaws to force a server to utilize insecure, legacy cryptosystems when secure cryptosystems are enabled on endpoints. This could expose flaws in the underlying legacy cryptosystems, such as CVE-2011-1096 and CVE-2011-2487. This flaw also affects the jbossws-native stack.

Acknowledgements:

Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting this issue.
Comment 12 errata-xmlrpc 2013-05-20 10:32:07 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html
Comment 13 errata-xmlrpc 2013-05-20 11:25:43 EDT
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html
Comment 14 errata-xmlrpc 2013-05-20 11:39:26 EDT
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html
Comment 15 errata-xmlrpc 2013-05-28 13:41:47 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0876 https://rhn.redhat.com/errata/RHSA-2013-0876.html
Comment 16 errata-xmlrpc 2013-05-28 13:42:25 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0875 https://rhn.redhat.com/errata/RHSA-2013-0875.html
Comment 17 errata-xmlrpc 2013-05-28 13:43:03 EDT
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0874 https://rhn.redhat.com/errata/RHSA-2013-0874.html
Comment 18 errata-xmlrpc 2013-05-28 13:43:41 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0873 https://rhn.redhat.com/errata/RHSA-2013-0873.html
Comment 19 errata-xmlrpc 2013-06-12 12:44:47 EDT
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2013:0943 https://rhn.redhat.com/errata/RHSA-2013-0943.html
Comment 20 errata-xmlrpc 2013-06-18 10:49:58 EDT
This issue has been addressed in following products:

  Red Hat JBoss Portal 5.2.2

Via RHSA-2013:0953 https://rhn.redhat.com/errata/RHSA-2013-0953.html
Comment 21 errata-xmlrpc 2013-07-01 11:15:28 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2013:1006 https://rhn.redhat.com/errata/RHSA-2013-1006.html
Comment 22 errata-xmlrpc 2013-07-09 13:37:05 EDT
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0

Via RHSA-2013:1028 https://rhn.redhat.com/errata/RHSA-2013-1028.html
Comment 24 errata-xmlrpc 2013-08-07 13:39:36 EDT
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 4.3 CP05
  Red Hat JBoss Portal 4.3 CP07

Via RHSA-2013:1143 https://rhn.redhat.com/errata/RHSA-2013-1143.html
Comment 25 errata-xmlrpc 2013-10-16 12:55:46 EDT
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html

Note You need to log in before you can comment on or make changes to this bug.