Bug 880443 (CVE-2012-5575) - CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks
Summary: CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwar...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5575
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 901224 918348 952020 952021 952022 952023 952024 952025 952027 953308
Blocks: 880470 920007 953709 958335 968131 970481
TreeView+ depends on / blocked
 
Reported: 2012-11-27 01:56 UTC by David Jorm
Modified: 2019-09-29 12:58 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-17 01:44:03 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0833 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 18:31:18 UTC
Red Hat Product Errata RHSA-2013:0834 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 23:19:13 UTC
Red Hat Product Errata RHSA-2013:0839 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 23:18:52 UTC
Red Hat Product Errata RHSA-2013:0873 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 security update 2013-05-28 21:39:33 UTC
Red Hat Product Errata RHSA-2013:0874 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 security update 2013-05-28 21:39:17 UTC
Red Hat Product Errata RHSA-2013:0875 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 security update 2013-05-28 21:39:12 UTC
Red Hat Product Errata RHSA-2013:0876 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 security update 2013-05-28 21:39:07 UTC
Red Hat Product Errata RHSA-2013:0943 normal SHIPPED_LIVE Important: Red Hat JBoss SOA Platform 5.3.1 update 2013-06-12 20:41:26 UTC
Red Hat Product Errata RHSA-2013:0953 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 5.2.2 security update 2013-06-18 18:48:45 UTC
Red Hat Product Errata RHSA-2013:1006 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 5.3.1 update 2013-07-01 19:14:03 UTC
Red Hat Product Errata RHSA-2013:1028 normal SHIPPED_LIVE Important: Fuse ESB Enterprise 7.1.0 update 2013-07-09 21:36:00 UTC
Red Hat Product Errata RHSA-2013:1143 normal SHIPPED_LIVE Important: JBoss Web Services security update 2013-08-07 21:38:25 UTC
Red Hat Product Errata RHSA-2013:1437 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.1.0 update 2013-10-16 20:53:32 UTC

Description David Jorm 2012-11-27 01:56:15 UTC
Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky have described XML encryption backwards compatibility attacks against various frameworks, including Apache CXF. An attacker can use these flaws to force a server to utilize insecure, legacy cryptosystems when secure cryptosystems are enabled on endpoints. This could expose flaws in the underlying legacy cryptosystems, such as CVE-2011-1096 and CVE-2011-2487. This flaw also affects the jbossws-native stack.

Acknowledgements:

Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting this issue.

Comment 12 errata-xmlrpc 2013-05-20 14:32:07 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html

Comment 13 errata-xmlrpc 2013-05-20 15:25:43 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html

Comment 14 errata-xmlrpc 2013-05-20 15:39:26 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html

Comment 15 errata-xmlrpc 2013-05-28 17:41:47 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0876 https://rhn.redhat.com/errata/RHSA-2013-0876.html

Comment 16 errata-xmlrpc 2013-05-28 17:42:25 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0875 https://rhn.redhat.com/errata/RHSA-2013-0875.html

Comment 17 errata-xmlrpc 2013-05-28 17:43:03 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0874 https://rhn.redhat.com/errata/RHSA-2013-0874.html

Comment 18 errata-xmlrpc 2013-05-28 17:43:41 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0873 https://rhn.redhat.com/errata/RHSA-2013-0873.html

Comment 19 errata-xmlrpc 2013-06-12 16:44:47 UTC
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2013:0943 https://rhn.redhat.com/errata/RHSA-2013-0943.html

Comment 20 errata-xmlrpc 2013-06-18 14:49:58 UTC
This issue has been addressed in following products:

  Red Hat JBoss Portal 5.2.2

Via RHSA-2013:0953 https://rhn.redhat.com/errata/RHSA-2013-0953.html

Comment 21 errata-xmlrpc 2013-07-01 15:15:28 UTC
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2013:1006 https://rhn.redhat.com/errata/RHSA-2013-1006.html

Comment 22 errata-xmlrpc 2013-07-09 17:37:05 UTC
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0

Via RHSA-2013:1028 https://rhn.redhat.com/errata/RHSA-2013-1028.html

Comment 24 errata-xmlrpc 2013-08-07 17:39:36 UTC
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 4.3 CP05
  Red Hat JBoss Portal 4.3 CP07

Via RHSA-2013:1143 https://rhn.redhat.com/errata/RHSA-2013-1143.html

Comment 25 errata-xmlrpc 2013-10-16 16:55:46 UTC
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html


Note You need to log in before you can comment on or make changes to this bug.