Bugzilla – Bug 779901
VUL-0: CVE-2012-4418: axis2: XML Signature Wrapping Attack
Last modified: 2019-06-17 09:27:44 UTC
Public, via oss-sec: Juraj Somorovsky and colleagues have described an XML Signature Wrapping (XSW) attack against a +variety of platforms in a paper delivered at USENIX [0]. Various platforms are covered, including +OpenSAML and Apache Axis2. OpenSAML is covered by CVE-2011-1411 [1], but I can't find a CVE ID +for Axis2. Could one please be assigned? The OpenSAML CVE ID is 2011 because some vendors were +given pre-notification of the issue in 2011. Since all the details were made public in 2012, I +suggest assigning a 2012 CVE ID for Axis2. Thanks -- David Jorm / Red Hat Security Response Team [0] http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1411
bugbot adjusting priority
I don't think we are affected, but I will need to look closer.
There has been another issue found in axis2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5351
I would say we can reject the CVE-2012-4418 as Debian did http://security-tracker.debian.org/tracker/CVE-2012-4418 The CVE-2012-5351 is not yet declined, but I doubt we are vulnerable as well http://security-tracker.debian.org/tracker/CVE-2012-5351 We can wait on the rejection, or close it now ...
Let's close it now. Thank you for looking into it so quickly, Michal!