CVE-2012-5575

Impact:
Important
Public Date:
2013-03-08
CWE:
CWE-327
Bugzilla:
880443: CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks

The MITRE CVE dictionary describes this issue as:

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."

Find out more about CVE-2012-5575 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 7.8
Base Metrics AV:N/AC:L/Au:N/C:C/I:N/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Portal Platform 6.1 RHSA-2013:1437 2013-10-16
Red Hat JBoss Web Platform 5 for RHEL 4 AS RHSA-2013:0874 2013-05-28
Red Hat JBoss Portal 5.2 RHSA-2013:0953 2013-06-18
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:1006 2013-07-01
Fuse ESB Enterprise 7.1.0 RHSA-2013:1028 2013-07-09
Red Hat JBoss SOA Platform 4.3 RHSA-2013:1143 2013-08-07
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server RHSA-2013:0873 2013-05-28
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:0875 2013-05-28
Red Hat JBoss Web Platform 5 for RHEL 6 Server RHSA-2013:0874 2013-05-28
Red Hat JBoss Web Platform 5.2 RHSA-2013:0876 2013-05-28
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS RHSA-2013:0873 2013-05-28
Red Hat JBoss Enterprise Application Platform 6.1 RHSA-2013:0833 2013-05-20
Red Hat JBoss Web Platform 5 for RHEL 5 Server RHSA-2013:0874 2013-05-28
Red Hat JBoss SOA Platform 5.3 RHSA-2013:0943 2013-06-12
Red Hat JBoss Portal 4.3 RHSA-2013:1143 2013-08-07
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jbossws-native) RHSA-2013:0834 2013-05-20
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jbossws-native) RHSA-2013:0839 2013-05-20
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server RHSA-2013:0873 2013-05-28

Acknowledgements

Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting this issue.

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.