cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > CVE-2012-5575
Date Fri, 12 Apr 2013 15:54:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-5575">CVE-2012-5575</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>

<p>An XML Encryption backwards compatibility attack on Apache CXF is described by<br/>
CVE-2012-5575:</p>

<p><a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5575" class="external-link"
rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5575</a></p>

<p>This attack relates to a previous security advisory CVE-2011-1096<br/>
(<a href="http://cxf.apache.org/note-on-cve-2011-1096.html" class="external-link" rel="nofollow">http://cxf.apache.org/note-on-cve-2011-1096.html</a>).
CVE-2011-1096 exploited a<br/>
cryptographic weakness in the CBC mode of XML Encryption, to conduct chosen<br/>
ciphertext attacks leading to the recovery of the entire plaintext. The fix<br/>
for CVE-2011-1096 was to switch to use GCM instead of CBC. Please see the note <br/>
linked above for more information.</p>

<p>CVE-2012-5575 resurrects the previous attack by relying on the fact that<br/>
Apache CXF will attempt to decrypt arbitrary ciphertexts, without first<br/>
checking to see if the algorithm corresponds to the given encryption algorithm<br/>
defined by the WS-SecurityPolicy AlgorithmSuite definition. </p>

<p>Migration:</p>

<p>Any version of CXF that uses Apache WSS4J 1.6.7 or below is vulnerable to this<br/>
attack. In other words, any version of CXF below 2.5.7, 2.6.4, or 2.7.1. <br/>
However due to separate security advisories, we urge CXF users to upgrade to<br/>
one of the latest releases as follows:</p>

<p>CXF 2.5.x users should upgrade to CXF 2.5.10.<br/>
CXF 2.6.x users should upgrade to CXF 2.6.7.<br/>
CXF 2.7.x users should upgrade to CXF 2.7.4.</p>

<p>----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

<p>iQEcBAEBAgAGBQJRaC0LAAoJEGe/gLEK1TmDwSoIALmJm+8ke1Yrcq/QycOElEA4<br/>
JC37j2VxUS7BM9qshojLAN9VWMeuRVpSVkeTPSv4wJaVl/pRKOedOt1x4JHon8sD<br/>
0jF7H2K0GyzXHDoeh3NVcEtnhRNsizD0wBzqCfoXt8wuHxlq3BAJAcMbNiLenNk1<br/>
5RarIUeaq7yQLtCf/s99sj643iZgk95x8/ccUUBFmdt4rC695rsC/fRqkM3+IcU4<br/>
pZpnffMCe5Y0sfUi/54gIiaZ1VoddpFt8NwzkP6AhcQdjLrq/Qoi2gw5wKSkjtQq<br/>
Jy/D+vifVW95xf+UkCeGl0evozorIx+LZoN6jGHiakv9TxoJ2zE0d69x+wGzFsU=<br/>
=0gnx<br/>
----<del>END PGP SIGNATURE</del>----</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-5575">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/CXF/CVE-2012-5575?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message