CVE Database

CVE-2012-5575

Impact: Important
Public: 2013-03-08
CWE: CWE-327
Bugzilla: 880443: CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks
IAVA: 2013-A-0112

Details

The MITRE CVE dictionary describes this issue as:

Apache CFX 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."

Find out more about CVE-2012-5575 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 7.8
Base Metrics: AV:N/AC:L/Au:N/C:C/I:N/A:N
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: None
Availability Impact: None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
Fuse ESB Enterprise 7.1.0 RHSA-2013:1028 July 09, 2013
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:1006 July 01, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS RHSA-2013:0873 May 28, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server RHSA-2013:0873 May 28, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server RHSA-2013:0873 May 28, 2013
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:0875 May 28, 2013
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2013:0839 May 20, 2013
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2013:0834 May 20, 2013
Red Hat JBoss Enterprise Application Platform 6.1 RHSA-2013:0833 May 20, 2013
Red Hat JBoss Portal 4.3 RHSA-2013:1143 August 07, 2013
Red Hat JBoss Portal 5.2 RHSA-2013:0953 June 18, 2013
Red Hat JBoss Portal Platform 6.1 RHSA-2013:1437 October 16, 2013
Red Hat JBoss SOA Platform 4.3 RHSA-2013:1143 August 07, 2013
Red Hat JBoss SOA Platform 5.3 RHSA-2013:0943 June 12, 2013
Red Hat JBoss Web Platform 5 for RHEL 4 AS RHSA-2013:0874 May 28, 2013
Red Hat JBoss Web Platform 5 for RHEL 5 Server RHSA-2013:0874 May 28, 2013
Red Hat JBoss Web Platform 5 for RHEL 6 Server RHSA-2013:0874 May 28, 2013
Red Hat JBoss Web Platform 5.2 RHSA-2013:0876 May 28, 2013

External References

http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/

http://cxf.apache.org/cve-2012-5575.html

Acknowledgements

Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting this issue.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.