Bug 826534 (CVE-2012-2379) - CVE-2012-2379 jbossws-cxf, apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token
Summary: CVE-2012-2379 jbossws-cxf, apache-cxf: Apache CXF does not verify that elemen...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2379
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 827797 827798 827799 846244 846246 846247 882283
Blocks: 789173 826535 849517 874925 879071 879083 881519 1028865
TreeView+ depends on / blocked
 
Reported: 2012-05-30 12:52 UTC by Jan Lieskovsky
Modified: 2023-05-12 22:43 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-24 22:50:29 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1559 0 normal SHIPPED_LIVE Important: JBoss Enterprise BRMS Platform 5.3.0 security update 2012-12-13 05:31:11 UTC
Red Hat Product Errata RHSA-2012:1573 0 normal SHIPPED_LIVE Important: JBoss Enterprise BRMS Platform 5.3.1 update 2012-12-13 05:31:07 UTC
Red Hat Product Errata RHSA-2012:1591 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.0.1 update 2012-12-19 03:19:29 UTC
Red Hat Product Errata RHSA-2012:1592 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.0.1 update 2012-12-19 03:31:01 UTC
Red Hat Product Errata RHSA-2012:1593 0 normal SHIPPED_LIVE Important: JBoss Enterprise SOA Platform 5.3.0 update 2012-12-19 03:30:57 UTC
Red Hat Product Errata RHSA-2012:1594 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.0.1 update 2012-12-19 03:52:56 UTC
Red Hat Product Errata RHSA-2013:0191 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:30:08 UTC
Red Hat Product Errata RHSA-2013:0192 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:28:23 UTC
Red Hat Product Errata RHSA-2013:0193 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:42:29 UTC
Red Hat Product Errata RHSA-2013:0194 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:08:14 UTC
Red Hat Product Errata RHSA-2013:0195 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:41:24 UTC
Red Hat Product Errata RHSA-2013:0196 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:55:46 UTC
Red Hat Product Errata RHSA-2013:0197 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:54:22 UTC
Red Hat Product Errata RHSA-2013:0198 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-25 00:07:17 UTC

Description Jan Lieskovsky 2012-05-30 12:52:50 UTC 
A flaw was found in the way Apache CXF verifies that XML elements were signed or encrypted by a particular Supporting Token. CXF checks to ensure these elements are signed or encrypted by a Supporting Token, but not whether the correct token is used. A remote attacker could use this flaw to transmit confidential information without the appropriate security, and potentially to circumvent access controls on web services exposed via CXF.
Comment 5 Vincent Danen 2012-06-07 16:27:51 UTC 
This has been corrected upstream in versions 2.4.8, 2.5.4, and 2.6.1:

http://svn.apache.org/viewvc?rev=1338219&view=rev

External Reference:

http://cxf.apache.org/cve-2012-2379.html
Comment 7 David Jorm 2012-08-07 09:00:26 UTC 
Created jbossws-cxf tracking bugs for this issue

Affects: fedora-17 [bug 846247]
Comment 8 Murray McAllister 2012-10-11 04:09:00 UTC 
Acknowledgements:

Red Hat would like to thank the Apache CXF project for reporting this issue.
Comment 9 errata-xmlrpc 2012-12-13 00:32:32 UTC 
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2012:1573 https://rhn.redhat.com/errata/RHSA-2012-1573.html
Comment 10 errata-xmlrpc 2012-12-13 00:32:36 UTC 
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.0

Via RHSA-2012:1559 https://rhn.redhat.com/errata/RHSA-2012-1559.html
Comment 11 errata-xmlrpc 2012-12-18 22:21:30 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html
Comment 12 errata-xmlrpc 2012-12-18 22:33:04 UTC 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2012:1593 https://rhn.redhat.com/errata/RHSA-2012-1593.html
Comment 13 errata-xmlrpc 2012-12-18 22:33:23 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html
Comment 14 errata-xmlrpc 2012-12-18 22:53:21 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html
Comment 15 errata-xmlrpc 2013-01-24 18:09:38 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
Comment 16 errata-xmlrpc 2013-01-24 18:32:31 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
Comment 17 errata-xmlrpc 2013-01-24 18:33:17 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
Comment 18 errata-xmlrpc 2013-01-24 18:45:33 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
Comment 19 errata-xmlrpc 2013-01-24 18:46:18 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
Comment 20 errata-xmlrpc 2013-01-24 18:58:35 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
Comment 21 errata-xmlrpc 2013-01-24 18:59:27 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
Comment 22 errata-xmlrpc 2013-01-24 19:08:30 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html
Note You need to log in before you can comment on or make changes to this bug.