Bug 1184115 (CVE-2014-8152) - CVE-2014-8152 Apache Santuario XML Security for Java: Streaming XML Signature verification failure
Summary: CVE-2014-8152 Apache Santuario XML Security for Java: Streaming XML Signature...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-8152
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-20 15:20 UTC by Martin Prpič
Modified: 2021-02-17 05:47 UTC (History)
2 users (show)

Fixed In Version: xmlsec 2.0.3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-20 15:21:17 UTC
Embargoed:


Attachments (Terms of Use)

Description Martin Prpič 2015-01-20 15:20:35 UTC
The 2.0.x series of releases of the Apache Santuario XML Security for Java library introduced support for streaming (StAX-based) XML Signature and Encryption.

It was discovered that Apache Santuario XML Security for Java did not correctly verify signatures of certain XML documents. A remote attacker could use this flaw to modify an XML document without invalidating its signature.

Please note that the "in-memory" (DOM) API for XML Signature is not affected by this issue, nor is the JSR-105 API. Also, web service stacks that use the streaming functionality of Apache Santuario (such as Apache CXF/WSS4J) are also not affected by this vulnerability.

Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1634334

External References:

http://santuario.apache.org/secadv.data/CVE-2014-8152.txt

Comment 1 Martin Prpič 2015-01-20 15:21:17 UTC
Statement:

Not vulnerable. The 2.0.x versions of Apache Santuario XML Security for Java are not shipped in any Red Hat product as of January 2015.

Comment 2 Arun Babu Neelicattu 2015-01-21 09:29:31 UTC
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/8152.yaml


Note You need to log in before you can comment on or make changes to this bug.