CVE-2015-0227

Impact:
Moderate
Public Date:
2015-02-10
CWE:
CWE-358
Bugzilla:
1191451: CVE-2015-0227 wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property via XML Signature wrapping attacks. A remote attacker could use this flaw to modify the contents of a signed request.

Find out more about CVE-2015-0227 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat JBoss BPMS 6:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss BRMS 5:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss BRMS 6:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Data Virtualization 6:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss EAP 5:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Enterprise SOA Platform 4:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Enterprise SOA Platform 5:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Fuse Service Works 6:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Operations Network 3:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Portal 5:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat OpenShift Enterprise 2:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

CVSS v2 metrics

Base Score 4
Base Metrics AV:N/AC:H/Au:N/C:P/I:P/A:N
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Portal 6.2 RHSA-2015:1009 2015-05-14
Red Hat JBoss A-MQ 6.2 RHSA-2015:1177 2015-06-23
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2015:0847 2015-04-16
Red Hat JBoss Fuse 6.2 RHSA-2015:1176 2015-06-23
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2015:0849 2015-04-16
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2015:0848 2015-04-16
Red Hat JBoss Data Grid 6.4 RHSA-2015:0773 2015-04-01
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2015:0846 2015-04-16

Affected Packages State

Platform Package State
Red Hat OpenShift Enterprise 2 wss4j Will not fix
Red Hat JBoss Portal 5 wss4j Will not fix
Red Hat JBoss Operations Network 3 wss4j Will not fix
Red Hat JBoss Operations Network 2 wss4j Not affected
Red Hat JBoss Fuse Service Works 6 wss4j Will not fix
Red Hat JBoss Enterprise SOA Platform 5 wss4j Will not fix
Red Hat JBoss Enterprise SOA Platform 4 wss4j Will not fix
Red Hat JBoss EAP 5 wss4j Will not fix
Red Hat JBoss Data Virtualization 6 wss4j Will not fix
Red Hat JBoss BRMS 6 wss4j Will not fix
Red Hat JBoss BRMS 5 wss4j Will not fix
Red Hat JBoss BPMS 6 wss4j Will not fix
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.
Last Modified