Bug 999263 - (CVE-2013-2172) CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130625,repor...
: Security
Depends On: 1000238 1000239 1000240 1000241 1000242 1000243 1000244
Blocks: 956239 970481 980700 999265 1004652 1007672 1026176 1113315
  Show dependency treegraph
 
Reported: 2013-08-21 00:13 EDT by David Jorm
Modified: 2014-10-20 20:05 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-09 14:24:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Jorm 2013-08-21 00:13:50 EDT
IssueDescription:

A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
Comment 1 David Jorm 2013-08-21 00:30:47 EDT
This has been corrected upstream in versions 1.4.8 and 1.5.5:

http://svn.apache.org/viewvc?view=revision&revision=1493772

External Reference:

http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc
Comment 4 errata-xmlrpc 2013-09-04 14:57:27 EDT
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.1.1

Via RHSA-2013:1209 https://rhn.redhat.com/errata/RHSA-2013-1209.html
Comment 5 errata-xmlrpc 2013-09-04 15:00:27 EDT
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:1208 https://rhn.redhat.com/errata/RHSA-2013-1208.html
Comment 6 errata-xmlrpc 2013-09-04 15:05:06 EDT
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:1207 https://rhn.redhat.com/errata/RHSA-2013-1207.html
Comment 7 errata-xmlrpc 2013-09-09 12:57:47 EDT
This issue has been addressed in following products:

  Red Hat JBoss Web Platform 5.2.0

Via RHSA-2013:1220 https://rhn.redhat.com/errata/RHSA-2013-1220.html
Comment 8 errata-xmlrpc 2013-09-09 12:59:29 EDT
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:1219 https://rhn.redhat.com/errata/RHSA-2013-1219.html
Comment 9 errata-xmlrpc 2013-09-09 12:59:40 EDT
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:1218 https://rhn.redhat.com/errata/RHSA-2013-1218.html
Comment 10 errata-xmlrpc 2013-09-09 13:00:19 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:1217 https://rhn.redhat.com/errata/RHSA-2013-1217.html
Comment 11 errata-xmlrpc 2013-09-30 13:59:26 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2013:1375 https://rhn.redhat.com/errata/RHSA-2013-1375.html
Comment 12 errata-xmlrpc 2013-10-16 12:59:27 EDT
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html
Comment 13 errata-xmlrpc 2013-12-17 13:38:13 EST
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.0

Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html
Comment 14 errata-xmlrpc 2014-02-25 11:42:07 EST
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2014:0212 https://rhn.redhat.com/errata/RHSA-2014-0212.html
Comment 16 Chess Hazlett 2014-04-14 22:30:46 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html
Comment 17 errata-xmlrpc 2014-10-09 12:07:54 EDT
This issue has been addressed in the following products:

  Fuse ESB Enterprise 7.1.0
  Fuse MQ Enterprise 7.1.0

Via RHSA-2014:1369 https://rhn.redhat.com/errata/RHSA-2014-1369.html

Note You need to log in before you can comment on or make changes to this bug.