IssueDescription: A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
This has been corrected upstream in versions 1.4.8 and 1.5.5: http://svn.apache.org/viewvc?view=revision&revision=1493772 External Reference: http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.1.1 Via RHSA-2013:1209 https://rhn.redhat.com/errata/RHSA-2013-1209.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2013:1208 https://rhn.redhat.com/errata/RHSA-2013-1208.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2013:1207 https://rhn.redhat.com/errata/RHSA-2013-1207.html
This issue has been addressed in following products: Red Hat JBoss Web Platform 5.2.0 Via RHSA-2013:1220 https://rhn.redhat.com/errata/RHSA-2013-1220.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 Via RHSA-2013:1219 https://rhn.redhat.com/errata/RHSA-2013-1219.html
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:1218 https://rhn.redhat.com/errata/RHSA-2013-1218.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 Via RHSA-2013:1217 https://rhn.redhat.com/errata/RHSA-2013-1217.html
This issue has been addressed in following products: Red Hat JBoss BRMS 5.3.1 Via RHSA-2013:1375 https://rhn.redhat.com/errata/RHSA-2013-1375.html
This issue has been addressed in following products: Red Hat JBoss Portal 6.1.0 Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html
This issue has been addressed in following products: Red Hat JBoss Operations Network 3.2.0 Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html
This issue has been addressed in following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2014:0212 https://rhn.redhat.com/errata/RHSA-2014-0212.html
This issue has been addressed in following products: Red Hat JBoss Fuse 6.1.0 Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html
This issue has been addressed in the following products: Fuse ESB Enterprise 7.1.0 Fuse MQ Enterprise 7.1.0 Via RHSA-2014:1369 https://rhn.redhat.com/errata/RHSA-2014-1369.html