A flaw was found in the way Apache CXF verifies that XML elements were signed or encrypted by a particular Supporting Token. CXF checks to ensure these elements are signed or encrypted by a Supporting Token, but not whether the correct token is used. A remote attacker could use this flaw to transmit confidential information without the appropriate security, and potentially to circumvent access controls on web services exposed via CXF.
This has been corrected upstream in versions 2.4.8, 2.5.4, and 2.6.1: http://svn.apache.org/viewvc?rev=1338219&view=rev External Reference: http://cxf.apache.org/cve-2012-2379.html
Created jbossws-cxf tracking bugs for this issue Affects: fedora-17 [bug 846247]
Acknowledgements: Red Hat would like to thank the Apache CXF project for reporting this issue.
This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.3.1 Via RHSA-2012:1573 https://rhn.redhat.com/errata/RHSA-2012-1573.html
This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.3.0 Via RHSA-2012:1559 https://rhn.redhat.com/errata/RHSA-2012-1559.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.3.0 Via RHSA-2012:1593 https://rhn.redhat.com/errata/RHSA-2012-1593.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.1 Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
This issue has been addressed in following products: JBEAP 5 for RHEL 5 Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
This issue has been addressed in following products: JBEAP 5 for RHEL 6 Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
This issue has been addressed in following products: JBEWP 5 for RHEL 6 Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
This issue has been addressed in following products: JBEWP 5 for RHEL 5 Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html