CVE-2012-5575
First published: Tue Nov 27 2012(Updated: )
Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache CXF | =2.5.0 | |
| Apache CXF | =2.5.1 | |
| Apache CXF | =2.5.2 | |
| Apache CXF | =2.5.3 | |
| Apache CXF | =2.5.4 | |
| Apache CXF | =2.5.5 | |
| Apache CXF | =2.5.6 | |
| Apache CXF | =2.5.7 | |
| Apache CXF | =2.5.8 | |
| Apache CXF | =2.5.9 | |
| Apache CXF | =2.6.0 | |
| Apache CXF | =2.6.1 | |
| Apache CXF | =2.6.2 | |
| Apache CXF | =2.6.3 | |
| Apache CXF | =2.6.4 | |
| Apache CXF | =2.6.5 | |
| Apache CXF | =2.6.6 | |
| Apache CXF | =2.7.0 | |
| Apache CXF | =2.7.1 | |
| Apache CXF | =2.7.2 | |
| Apache CXF | =2.7.3 | |
| Redhat Jboss Enterprise Application Platform | =5.0.0 | |
| Redhat Jboss Enterprise Portal Platform | =4.3.0 | |
| Redhat Jboss Enterprise Soa Platform | =4.3.0 | |
| Redhat Jboss Enterprise Web Platform | =5.2.0 | |
| Redhat Jboss Fuse Esb Enterprise | =7.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://cxf.apache.org/cve-2012-5575.html
- http://rhn.redhat.com/errata/RHSA-2013-0833.html
- http://rhn.redhat.com/errata/RHSA-2013-0834.html
- http://rhn.redhat.com/errata/RHSA-2013-0839.html
- http://rhn.redhat.com/errata/RHSA-2013-0873.html
- http://rhn.redhat.com/errata/RHSA-2013-0874.html
- http://rhn.redhat.com/errata/RHSA-2013-0875.html
- http://rhn.redhat.com/errata/RHSA-2013-0876.html
- http://rhn.redhat.com/errata/RHSA-2013-0943.html
- http://rhn.redhat.com/errata/RHSA-2013-1028.html
- http://rhn.redhat.com/errata/RHSA-2013-1143.html
- http://rhn.redhat.com/errata/RHSA-2013-1437.html
- http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/
- http://www.securityfocus.com/bid/60043
- https://bugzilla.redhat.com/show_bug.cgi?id=880443
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- https://access.redhat.com/security/cve/CVE-2011-1096
- https://access.redhat.com/security/cve/CVE-2011-2487
- https://rhn.redhat.com/errata/RHSA-2013-0833.html
- https://rhn.redhat.com/errata/RHSA-2013-0834.html
- https://rhn.redhat.com/errata/RHSA-2013-0839.html
- https://rhn.redhat.com/errata/RHSA-2013-0876.html
- https://rhn.redhat.com/errata/RHSA-2013-0875.html
- https://rhn.redhat.com/errata/RHSA-2013-0874.html
- https://rhn.redhat.com/errata/RHSA-2013-0873.html
- https://rhn.redhat.com/errata/RHSA-2013-0943.html
- https://rhn.redhat.com/errata/RHSA-2013-0953.html
- https://rhn.redhat.com/errata/RHSA-2013-1006.html
- https://rhn.redhat.com/errata/RHSA-2013-1028.html
- https://rhn.redhat.com/errata/RHSA-2013-1143.html
- https://rhn.redhat.com/errata/RHSA-2013-1437.html
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5575
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/description
- agent/tags
- agent/event
- agent/trending
- vendor/apache
- canonical/apache cxf
- version/apache cxf/2.5.0
- version/apache cxf/2.5.1
- version/apache cxf/2.5.2
- version/apache cxf/2.5.3
- version/apache cxf/2.5.4
- version/apache cxf/2.5.5
- version/apache cxf/2.5.6
- version/apache cxf/2.5.7
- version/apache cxf/2.5.8
- version/apache cxf/2.5.9
- version/apache cxf/2.6.0
- version/apache cxf/2.6.1
- version/apache cxf/2.6.2
- version/apache cxf/2.6.3
- version/apache cxf/2.6.4
- version/apache cxf/2.6.5
- version/apache cxf/2.6.6
- version/apache cxf/2.7.0
- version/apache cxf/2.7.1
- version/apache cxf/2.7.2
- version/apache cxf/2.7.3
- vendor/redhat
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/5.0.0
- canonical/redhat jboss enterprise portal platform
- version/redhat jboss enterprise portal platform/4.3.0
- canonical/redhat jboss enterprise soa platform
- version/redhat jboss enterprise soa platform/4.3.0
- canonical/redhat jboss enterprise web platform
- version/redhat jboss enterprise web platform/5.2.0
- canonical/redhat jboss fuse esb enterprise
- version/redhat jboss fuse esb enterprise/7.1.0