Bug 999263 (CVE-2013-2172) - CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
Summary: CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2172
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1000238 1000239 1000240 1000241 1000242 1000243 1000244
Blocks: 956239 970481 980700 999265 1004652 1007672 1026176 1113315
TreeView+ depends on / blocked
 
Reported: 2013-08-21 04:13 UTC by David Jorm
Modified: 2021-02-17 07:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
Clone Of:
Environment:
Last Closed: 2014-10-09 18:24:30 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1207 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.1.1 update 2013-09-04 22:51:19 UTC
Red Hat Product Errata RHSA-2013:1208 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.1.1 update 2013-09-04 22:50:25 UTC
Red Hat Product Errata RHSA-2013:1209 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.1.1 update 2013-09-04 22:50:19 UTC
Red Hat Product Errata RHSA-2013:1217 0 normal SHIPPED_LIVE Moderate: xml-security security update 2013-09-09 20:55:49 UTC
Red Hat Product Errata RHSA-2013:1218 0 normal SHIPPED_LIVE Moderate: xml-security security update 2013-09-09 20:55:45 UTC
Red Hat Product Errata RHSA-2013:1219 0 normal SHIPPED_LIVE Moderate: xml-security security update 2013-09-09 20:55:36 UTC
Red Hat Product Errata RHSA-2013:1220 0 normal SHIPPED_LIVE Moderate: xml-security security update 2013-09-09 20:55:32 UTC
Red Hat Product Errata RHSA-2013:1375 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS 5.3.1 update 2013-09-30 21:55:21 UTC
Red Hat Product Errata RHSA-2013:1437 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.1.0 update 2013-10-16 20:53:32 UTC
Red Hat Product Errata RHSA-2013:1853 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Operations Network 3.2.0 update 2013-12-17 23:36:29 UTC
Red Hat Product Errata RHSA-2014:0212 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss SOA Platform 5.3.1 update 2014-02-25 21:41:26 UTC
Red Hat Product Errata RHSA-2014:0400 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Fuse 6.1.0 update 2014-04-14 18:27:37 UTC
Red Hat Product Errata RHSA-2014:1369 0 normal SHIPPED_LIVE Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update 2014-10-09 20:07:39 UTC

Description David Jorm 2013-08-21 04:13:50 UTC 
IssueDescription:

A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
Comment 1 David Jorm 2013-08-21 04:30:47 UTC 
This has been corrected upstream in versions 1.4.8 and 1.5.5:

http://svn.apache.org/viewvc?view=revision&revision=1493772

External Reference:

http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc
Comment 4 errata-xmlrpc 2013-09-04 18:57:27 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.1.1

Via RHSA-2013:1209 https://rhn.redhat.com/errata/RHSA-2013-1209.html
Comment 5 errata-xmlrpc 2013-09-04 19:00:27 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:1208 https://rhn.redhat.com/errata/RHSA-2013-1208.html
Comment 6 errata-xmlrpc 2013-09-04 19:05:06 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:1207 https://rhn.redhat.com/errata/RHSA-2013-1207.html
Comment 7 errata-xmlrpc 2013-09-09 16:57:47 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Web Platform 5.2.0

Via RHSA-2013:1220 https://rhn.redhat.com/errata/RHSA-2013-1220.html
Comment 8 errata-xmlrpc 2013-09-09 16:59:29 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:1219 https://rhn.redhat.com/errata/RHSA-2013-1219.html
Comment 9 errata-xmlrpc 2013-09-09 16:59:40 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:1218 https://rhn.redhat.com/errata/RHSA-2013-1218.html
Comment 10 errata-xmlrpc 2013-09-09 17:00:19 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:1217 https://rhn.redhat.com/errata/RHSA-2013-1217.html
Comment 11 errata-xmlrpc 2013-09-30 17:59:26 UTC 
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2013:1375 https://rhn.redhat.com/errata/RHSA-2013-1375.html
Comment 12 errata-xmlrpc 2013-10-16 16:59:27 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html
Comment 13 errata-xmlrpc 2013-12-17 18:38:13 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.0

Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html
Comment 14 errata-xmlrpc 2014-02-25 16:42:07 UTC 
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2014:0212 https://rhn.redhat.com/errata/RHSA-2014-0212.html
Comment 16 Chess Hazlett 2014-04-15 02:30:46 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html
Comment 17 errata-xmlrpc 2014-10-09 16:07:54 UTC 
This issue has been addressed in the following products:

  Fuse ESB Enterprise 7.1.0
  Fuse MQ Enterprise 7.1.0

Via RHSA-2014:1369 https://rhn.redhat.com/errata/RHSA-2014-1369.html
Note You need to log in before you can comment on or make changes to this bug.