Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky have described XML encryption backwards compatibility attacks against various frameworks, including Apache CXF. An attacker can use these flaws to force a server to utilize insecure, legacy cryptosystems when secure cryptosystems are enabled on endpoints. This could expose flaws in the underlying legacy cryptosystems, such as CVE-2011-1096 and CVE-2011-2487. This flaw also affects the jbossws-native stack.
External References: http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/ http://cxf.apache.org/cve-2012-5575.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.1.0 Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0876 https://rhn.redhat.com/errata/RHSA-2013-0876.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0875 https://rhn.redhat.com/errata/RHSA-2013-0875.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 Via RHSA-2013:0874 https://rhn.redhat.com/errata/RHSA-2013-0874.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 Via RHSA-2013:0873 https://rhn.redhat.com/errata/RHSA-2013-0873.html
This issue has been addressed in following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2013:0943 https://rhn.redhat.com/errata/RHSA-2013-0943.html
This issue has been addressed in following products: Red Hat JBoss Portal 5.2.2 Via RHSA-2013:0953 https://rhn.redhat.com/errata/RHSA-2013-0953.html
This issue has been addressed in following products: Red Hat JBoss BRMS 5.3.1 Via RHSA-2013:1006 https://rhn.redhat.com/errata/RHSA-2013-1006.html
This issue has been addressed in following products: Fuse ESB Enterprise 7.1.0 Via RHSA-2013:1028 https://rhn.redhat.com/errata/RHSA-2013-1028.html
This issue has been addressed in following products: Red Hat JBoss SOA Platform 4.3 CP05 Red Hat JBoss Portal 4.3 CP07 Via RHSA-2013:1143 https://rhn.redhat.com/errata/RHSA-2013-1143.html
This issue has been addressed in following products: Red Hat JBoss Portal 6.1.0 Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html