cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > Note on CVE-2011-1096
Date Mon, 23 Apr 2012 09:26:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Note+on+CVE-2011-1096">Note
on CVE-2011-1096</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>


<p>Note on CVE-2011-1096: XML Encryption flaw / Character pattern encoding attack</p>

<p>A new attack on the XML Encryption standard has recently emerged and<br/>
is described by the security advisory CVE-2011-1096:</p>

<p><a href="https://bugzilla.redhat.com/show_bug.cgi?id=681916" class="external-link"
rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=681916</a></p>

<p>   Tibor Jager, Juraj Somorovsky, Meiko Jensen, and Jorg Schwenk<br/>
   described an attack technique against W3C XML Encryption Standard,<br/>
   when the block ciphers were used in cipher-block chaining (CBC)<br/>
   mode of operation. A remote attacker, aware of a cryptographic<br/>
   weakness of the CBC mode could use this flaw to conduct<br/>
   chosen-ciphertext attacks, leading to the recovery of the entire<br/>
   plaintext of a particular cryptogram by examining of the differences<br/>
   between SOAP responses, sent from JBossWS, J2EE Web Services server.</p>

<p>There is no (immediate) security "fix" for this issue, as it is an<br/>
attack on the standard itself. However, the attack can be prevented by<br/>
using a symmetric algorithm such as AES-128 or AES-256 with GCM. Until<br/>
the WS-SecurityPolicy specification is updated to support GCM, Apache<br/>
CXF has defined its own AlgorithmSuite policies to use GCM algorithms.<br/>
These AlgorithmSuites are called "Basic128GCM", "Basic192GCM" and<br/>
"Basic256GCM" in the namespace<br/>
"http://cxf.apache.org/custom/security-policy". See here for more<br/>
details about how to use these policies:</p>

<p><a href="http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html" class="external-link"
rel="nofollow">http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html</a></p>

<p>----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

<p>iQEcBAEBAgAGBQJPlR+yAAoJEGe/gLEK1TmDXTAH/05JOBp2mqn9QAvBHtYPOk6c<br/>
+C8jaJZFJG0vBB1BO7l0bRUUVp3giHeCP20uTMX6n/eLphwQ4kfO7kvJQ/BMLfW1<br/>
CWXbc70khLJEMG9u0p4QZtmC+bftTvrecZFSe+yt52tQM0+55a1WjVdOrb7yCu2R<br/>
sgZCYACNCn+Bx5u/BSWBpfaOz4FLiFssagZlw8LdQT67WiAXa4HXRmD+Q5fyr0LA<br/>
zvvG030UlxpR7r5W5I2gBswtzJL4CV7IBSaomXmQhTXVJ4pbHfkqY/ShO8kHGBnZ<br/>
wsRN3NQipuci1kyAI8o6ksIRyEua+M7yHwGRsOxCaZJU/bJtcgnRmiJCY6xcAgg=<br/>
=1y0o<br/>
----<del>END PGP SIGNATURE</del>----</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/CXF/Note+on+CVE-2011-1096">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/CXF/Note+on+CVE-2011-1096?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message