Bug 880443 (CVE-2012-5575) - CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks
Summary: CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwar...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5575
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 901224 918348 952020 952021 952022 952023 952024 952025 952027 953308
Blocks: 880470 920007 953709 958335 968131 970481
TreeView+ depends on / blocked
 
Reported: 2012-11-27 01:56 UTC by David Jorm
Modified: 2021-08-11 13:14 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-17 01:44:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0833 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 18:31:18 UTC
Red Hat Product Errata RHSA-2013:0834 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 23:19:13 UTC
Red Hat Product Errata RHSA-2013:0839 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 23:18:52 UTC
Red Hat Product Errata RHSA-2013:0873 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 security update 2013-05-28 21:39:33 UTC
Red Hat Product Errata RHSA-2013:0874 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 security update 2013-05-28 21:39:17 UTC
Red Hat Product Errata RHSA-2013:0875 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 security update 2013-05-28 21:39:12 UTC
Red Hat Product Errata RHSA-2013:0876 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 security update 2013-05-28 21:39:07 UTC
Red Hat Product Errata RHSA-2013:0943 0 normal SHIPPED_LIVE Important: Red Hat JBoss SOA Platform 5.3.1 update 2013-06-12 20:41:26 UTC
Red Hat Product Errata RHSA-2013:0953 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 5.2.2 security update 2013-06-18 18:48:45 UTC
Red Hat Product Errata RHSA-2013:1006 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 5.3.1 update 2013-07-01 19:14:03 UTC
Red Hat Product Errata RHSA-2013:1028 0 normal SHIPPED_LIVE Important: Fuse ESB Enterprise 7.1.0 update 2013-07-09 21:36:00 UTC
Red Hat Product Errata RHSA-2013:1143 0 normal SHIPPED_LIVE Important: JBoss Web Services security update 2013-08-07 21:38:25 UTC
Red Hat Product Errata RHSA-2013:1437 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.1.0 update 2013-10-16 20:53:32 UTC

Description David Jorm 2012-11-27 01:56:15 UTC 
Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky have described XML encryption backwards compatibility attacks against various frameworks, including Apache CXF. An attacker can use these flaws to force a server to utilize insecure, legacy cryptosystems when secure cryptosystems are enabled on endpoints. This could expose flaws in the underlying legacy cryptosystems, such as CVE-2011-1096 and CVE-2011-2487. This flaw also affects the jbossws-native stack.
Comment 3 David Jorm 2013-03-27 16:28:22 UTC 
External References:

http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/
http://cxf.apache.org/cve-2012-5575.html
Comment 12 errata-xmlrpc 2013-05-20 14:32:07 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html
Comment 13 errata-xmlrpc 2013-05-20 15:25:43 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html
Comment 14 errata-xmlrpc 2013-05-20 15:39:26 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html
Comment 15 errata-xmlrpc 2013-05-28 17:41:47 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0876 https://rhn.redhat.com/errata/RHSA-2013-0876.html
Comment 16 errata-xmlrpc 2013-05-28 17:42:25 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0875 https://rhn.redhat.com/errata/RHSA-2013-0875.html
Comment 17 errata-xmlrpc 2013-05-28 17:43:03 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0874 https://rhn.redhat.com/errata/RHSA-2013-0874.html
Comment 18 errata-xmlrpc 2013-05-28 17:43:41 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0873 https://rhn.redhat.com/errata/RHSA-2013-0873.html
Comment 19 errata-xmlrpc 2013-06-12 16:44:47 UTC 
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2013:0943 https://rhn.redhat.com/errata/RHSA-2013-0943.html
Comment 20 errata-xmlrpc 2013-06-18 14:49:58 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Portal 5.2.2

Via RHSA-2013:0953 https://rhn.redhat.com/errata/RHSA-2013-0953.html
Comment 21 errata-xmlrpc 2013-07-01 15:15:28 UTC 
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2013:1006 https://rhn.redhat.com/errata/RHSA-2013-1006.html
Comment 22 errata-xmlrpc 2013-07-09 17:37:05 UTC 
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0

Via RHSA-2013:1028 https://rhn.redhat.com/errata/RHSA-2013-1028.html
Comment 24 errata-xmlrpc 2013-08-07 17:39:36 UTC 
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 4.3 CP05
  Red Hat JBoss Portal 4.3 CP07

Via RHSA-2013:1143 https://rhn.redhat.com/errata/RHSA-2013-1143.html
Comment 25 errata-xmlrpc 2013-10-16 16:55:46 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html
Note You need to log in before you can comment on or make changes to this bug.