ID CVE-2013-2172
Summary jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
References
Vulnerable Configurations
  • Apache Software Foundation Apache Santuario XML Security for Java 1.4.7
    cpe:2.3:a:apache:xml_security_for_java:1.4.7
  • Apache Software Foundation Apache Santuario XML Security for Java 1.5.0
    cpe:2.3:a:apache:xml_security_for_java:1.5.0
  • Apache Software Foundation Apache Santuario XML Security for Java 1.5.1
    cpe:2.3:a:apache:xml_security_for_java:1.5.1
  • Apache Software Foundation Apache Santuario XML Security for Java 1.5.2
    cpe:2.3:a:apache:xml_security_for_java:1.5.2
  • Apache Software Foundation Apache Santuario XML Security for Java 1.5.3
    cpe:2.3:a:apache:xml_security_for_java:1.5.3
  • Apache Software Foundation Apache Santuario XML Security for Java 1.5.4
    cpe:2.3:a:apache:xml_security_for_java:1.5.4
CVSS
Base: 4.3 (as of 20-08-2013 - 19:14)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1437.NASL
    description The version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues: - A flaw in CSRF prevention filter in JBoss Web could allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. (CVE-2012-4431) - A flaw that occurs when the COOKIE session tracking method is used can allow attackers to hijack users' sessions. (CVE-2012-4529) - A flaw that occurs when multiple applications use the same custom authorization module class name can allow a local attacker to deploy a malicious application that overrides the custom authorization modules provided by other applications. (CVE-2012-4572) - The framework does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting. This can allow remote attackers to force the system to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications. (CVE-2012-5575) - A flaw in PicketBox can allow local users to obtain the admin encryption key by reading the Vault data file. (CVE-2013-1921) - A session fixation flaw was found in the FormAuthenticator module. (CVE-2013-2067) - A flaw that occurs when a JGroups channel was started results in the JGroups diagnostics service being enabled by default with no authentication via IP multicast. A remote attacker can make use of this flaw to read diagnostics information. (CVE-2013-2102) - A flaw in the StAX parser implementation can allow remote attackers to cause a denial of service via crafted XML. (CVE-2013-2160) - A flaw in Apache Santuario XML Security can allow context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak algorithm. (CVE-2013-2172) - A flaw in JGroup's DiagnosticsHandler can allow remote attackers to obtain sensitive information and execute arbitrary code by re-using valid credentials. (CVE-2013-4112) - A flaw in the manner in which authenticated connections were cached on the server by remote-naming can allow remote attackers to hijack sessions by using a remoting client. (CVE-2013-4128) - A flaw in the manner in which connections for EJB invocations were cached on the server can allow remote attackers to hijack sessions by using an EJB client. (CVE-2013-4213)
    last seen 2019-02-21
    modified 2018-07-26
    plugin id 72237
    published 2014-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72237
    title JBoss Portal 6.1.0 Update (RHSA-2013:1437)
  • NASL family Web Servers
    NASL id GLASSFISH_CPU_OCT_2013.NASL
    description The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities in the following components : - Java Server Faces - Metro
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 70482
    published 2013-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70482
    title Oracle GlassFish Server Multiple Vulnerabilities (October 2013 CPU)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2028-1.NASL
    description James Forshaw discovered that Apache XML Security for Java incorrectly validated CanonicalizationMethod parameters. An attacker could use this flaw to spoof XML signatures. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 70875
    published 2013-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70875
    title Ubuntu 10.04 LTS : libxml-security-java vulnerability (USN-2028-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1208.NASL
    description Red Hat JBoss Enterprise Application Platform 6.1.1, which fixes multiple security issues, various bugs, and adds enhancements, is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.1.0, and includes bug fixes and enhancements. Refer to the 6.1.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ Security fixes : Cross-site scripting (XSS) flaws were found in the mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially crafted Host header. (CVE-2012-3499) Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. (CVE-2012-4558) A flaw was found in the way the mod_dav module handled merge requests. An attacker could use this flaw to send a crafted merge request that contains URIs that are not configured for DAV, causing the httpd child process to crash. (CVE-2013-1896) A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block. (CVE-2013-2172) It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user. (CVE-2013-1862) The data file used by PicketBox Vault to store encrypted passwords contains a copy of its own admin key. The file is encrypted using only this admin key, not the corresponding JKS key. A local attacker with permission to read the vault data file could read the admin key from the file, and use it to decrypt the file and read the stored passwords in clear text. (CVE-2013-1921) A flaw was found in JGroup's DiagnosticsHandler that allowed an attacker on an adjacent network to reuse the credentials from a previous successful authentication. This could be exploited to read diagnostic information (information disclosure) and attain limited remote code execution. (CVE-2013-4112) Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. Refer to the Solution section for further details. All users of Red Hat JBoss Enterprise Application Platform 6.1.0 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-26
    plugin id 69883
    published 2013-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69883
    title RHEL 6 : JBoss EAP (RHSA-2013:1208)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1207.NASL
    description Red Hat JBoss Enterprise Application Platform 6.1.1, which fixes multiple security issues, various bugs, and adds enhancements, is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.1.0, and includes bug fixes and enhancements. Refer to the 6.1.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ Security fixes : Cross-site scripting (XSS) flaws were found in the mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially crafted Host header. (CVE-2012-3499) Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. (CVE-2012-4558) A flaw was found in the way the mod_dav module handled merge requests. An attacker could use this flaw to send a crafted merge request that contains URIs that are not configured for DAV, causing the httpd child process to crash. (CVE-2013-1896) A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block. (CVE-2013-2172) It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user. (CVE-2013-1862) The data file used by PicketBox Vault to store encrypted passwords contains a copy of its own admin key. The file is encrypted using only this admin key, not the corresponding JKS key. A local attacker with permission to read the vault data file could read the admin key from the file, and use it to decrypt the file and read the stored passwords in clear text. (CVE-2013-1921) A flaw was found in JGroup's DiagnosticsHandler that allowed an attacker on an adjacent network to reuse the credentials from a previous successful authentication. This could be exploited to read diagnostic information (information disclosure) and attain limited remote code execution. (CVE-2013-4112) Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. Refer to the Solution section for further details. All users of Red Hat JBoss Enterprise Application Platform 6.1.0 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-26
    plugin id 69882
    published 2013-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69882
    title RHEL 5 : JBoss EAP (RHSA-2013:1207)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-85.NASL
    description James Forshaw discovered that, in Apache Santuario XML Security for Java, CanonicalizationMethod parameters were incorrectly validated: by specifying an arbitrary weak canonicalization algorithm, an attacker could spoof XML signatures. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 82230
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82230
    title Debian DLA-85-1 : libxml-security-java security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1209.NASL
    description The version of JBoss Enterprise Application Platform installed on the remote system is affected by the following issues : - Flaws in the mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules can allow an attacker to perform cross-site scripting (XSS) attacks. (CVE-2012-3499) - Flaws in the web interface of the mod_proxy_balancer module can allow a remote attacker to perform XSS attacks. (CVE-2012-4558) - A flaw in mod_rewrite can allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. (CVE-2013-1862) - A flaw in the method by which the mod_dav module handles merge requests can allow an attacker to create a denial of service by sending a crafted merge request that contains URIs that are not configured for DAV. (CVE-2013-1896) - A flaw in PicketBox can allow local users to obtain the admin encryption key by reading the Vault data file. (CVE-2013-1921) - A flaw in Apache Santuario XML Security can allow context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak algorithm. (CVE-2013-2172) - A flaw in JGroup's DiagnosticsHandler can allow remote attackers to obtain sensitive information and execute arbitrary code by re-using valid credentials. (CVE-2013-4112)
    last seen 2019-02-21
    modified 2018-07-26
    plugin id 72238
    published 2014-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72238
    title JBoss Enterprise Application Platform 6.1.1 Update (RHSA-2013:1209)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1219.NASL
    description An updated xml-security package that fixes one security issue is now available for Red Hat JBoss Web Platform 5.2.0 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Apache Santuario implements the XML Signature Syntax and Processing and XML Encryption Syntax and Processing standards. A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block. (CVE-2013-2172) Warning: Before applying this update, back up your existing Red Hat JBoss Web Platform installation (including all applications and configuration files). All users of Red Hat JBoss Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 76290
    published 2014-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76290
    title RHEL 5 / 6 : xml-security in JBoss EWP (RHSA-2013:1219)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1217.NASL
    description An updated xml-security package that fixes one security issue is now available for Red Hat JBoss Enterprise Application Platform 5.2.0 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Apache Santuario implements the XML Signature Syntax and Processing and XML Encryption Syntax and Processing standards. A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block. (CVE-2013-2172) Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 69823
    published 2013-09-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69823
    title RHEL 5 / 6 : xml-security (RHSA-2013:1217)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3065.NASL
    description James Forshaw discovered that, in Apache Santuario XML Security for Java, CanonicalizationMethod parameters were incorrectly validated: by specifying an arbitrary weak canonicalization algorithm, an attacker could spoof XML signatures.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 78896
    published 2014-11-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78896
    title Debian DSA-3065-1 : libxml-security-java - security update
redhat via4
advisories
  • rhsa
    id RHSA-2013:1207
  • rhsa
    id RHSA-2013:1208
  • rhsa
    id RHSA-2013:1209
  • rhsa
    id RHSA-2013:1217
  • rhsa
    id RHSA-2013:1218
  • rhsa
    id RHSA-2013:1219
  • rhsa
    id RHSA-2013:1220
  • rhsa
    id RHSA-2013:1375
  • rhsa
    id RHSA-2013:1437
  • rhsa
    id RHSA-2013:1853
  • rhsa
    id RHSA-2014:0212
refmap via4
bid 60846
bugtraq 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
confirm
debian DSA-3065
fulldisc 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
misc http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h
osvdb 94651
secunia 54019
ubuntu USN-2028-1
Last major update 28-11-2016 - 14:09
Published 20-08-2013 - 18:55
Last modified 09-10-2018 - 15:34
Back to Top