CVE-2011-4314: Input Validation
First published: Fri Jan 27 2012(Updated: )
message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openid Openid4java | <=0.9.5.593 | |
| Kay Framework Project Kay Framework | =1.0.0 | |
| Red Hat JBoss Enterprise Application Platform | =5.1.2 | |
| Openid Openid4java | =0.9.2 | |
| Kay Framework Project Kay Framework | =0.1.0 | |
| Red Hat JBoss Enterprise Application Platform | =5.1.1 | |
| Kay Framework Project Kay Framework | <=1.0.1 | |
| Kay Framework Project Kay Framework | =0.8.0 | |
| Kay Framework Project Kay Framework | =0.2.0 | |
| Red Hat JBoss Enterprise Application Platform | =5.1.0 | |
| Openid Openid4java | =0.9.4.339 | |
| Openid Openid4java | =0.9.3 | |
| Kay Framework Project Kay Framework | =0.0.0 | |
| Kay Framework Project Kay Framework | =0.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://securitytracker.com/id?1026400
- http://www.redhat.com/support/errata/RHSA-2011-1804.html
- https://issues.jboss.org/browse/SOA-3597
- https://issues.jboss.org/browse/JBEPP-1368
- http://secunia.com/advisories/44496
- http://openid.net/2011/05/05/attribute-exchange-security-alert/
- http://www.openwall.com/lists/oss-security/2011/11/16/1
- http://www.openwall.com/lists/oss-security/2011/11/17/1
- http://rhn.redhat.com/errata/RHSA-2012-0441.html
- http://rhn.redhat.com/errata/RHSA-2012-0519.html
- http://secunia.com/advisories/48697
- http://secunia.com/advisories/48954
Frequently Asked Questions
What is the severity of CVE-2011-4314?
CVE-2011-4314 has been classified as a medium severity vulnerability.
How do I fix CVE-2011-4314?
To mitigate CVE-2011-4314, upgrade OpenID4Java to version 0.9.6 or later and ensure that your other affected software components are also updated.
What software versions are affected by CVE-2011-4314?
CVE-2011-4314 affects OpenID4Java versions before 0.9.6, Kay Framework versions up to 1.0.1, and JBoss Enterprise Application Platform versions before 5.1.2.
What type of attack can be executed due to CVE-2011-4314?
CVE-2011-4314 allows remote attackers to modify the Attribute Exchange (AX) information due to lack of signature verification.
Is CVE-2011-4314 still relevant today?
While CVE-2011-4314 is an older vulnerability, it remains relevant for systems using the affected versions of the software mentioned.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/openid
- canonical/openid openid4java
- version/openid openid4java/0.9.5.593
- vendor/kay framework project
- canonical/kay framework project kay framework
- version/kay framework project kay framework/1.0.0
- vendor/redhat
- canonical/red hat jboss enterprise application platform
- version/red hat jboss enterprise application platform/5.1.2
- version/openid openid4java/0.9.2
- version/kay framework project kay framework/0.1.0
- version/red hat jboss enterprise application platform/5.1.1
- version/kay framework project kay framework/1.0.1
- version/kay framework project kay framework/0.8.0
- version/kay framework project kay framework/0.2.0
- version/red hat jboss enterprise application platform/5.1.0
- version/openid openid4java/0.9.4.339
- version/openid openid4java/0.9.3
- version/kay framework project kay framework/0.0.0
- version/kay framework project kay framework/0.3.0