CVE-2012-5575
First published: Tue Nov 27 2012(Updated: )
Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache CXF | =2.5.0 | |
| Apache CXF | =2.5.1 | |
| Apache CXF | =2.5.2 | |
| Apache CXF | =2.5.3 | |
| Apache CXF | =2.5.4 | |
| Apache CXF | =2.5.5 | |
| Apache CXF | =2.5.6 | |
| Apache CXF | =2.5.7 | |
| Apache CXF | =2.5.8 | |
| Apache CXF | =2.5.9 | |
| Apache CXF | =2.6.0 | |
| Apache CXF | =2.6.1 | |
| Apache CXF | =2.6.2 | |
| Apache CXF | =2.6.3 | |
| Apache CXF | =2.6.4 | |
| Apache CXF | =2.6.5 | |
| Apache CXF | =2.6.6 | |
| Apache CXF | =2.7.0 | |
| Apache CXF | =2.7.1 | |
| Apache CXF | =2.7.2 | |
| Apache CXF | =2.7.3 | |
| redhat jboss enterprise application platform | =5.0.0 | |
| Red Hat JBoss Portal | =4.3.0 | |
| Red Hat JBoss Enterprise SOA Platform | =4.3.0 | |
| Red Hat JBoss Enterprise Web Platform | =5.2.0 | |
| Red Hat JBoss Fuse ESB Enterprise | =7.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://cxf.apache.org/cve-2012-5575.html
- http://rhn.redhat.com/errata/RHSA-2013-0833.html
- http://rhn.redhat.com/errata/RHSA-2013-0834.html
- http://rhn.redhat.com/errata/RHSA-2013-0839.html
- http://rhn.redhat.com/errata/RHSA-2013-0873.html
- http://rhn.redhat.com/errata/RHSA-2013-0874.html
- http://rhn.redhat.com/errata/RHSA-2013-0875.html
- http://rhn.redhat.com/errata/RHSA-2013-0876.html
- http://rhn.redhat.com/errata/RHSA-2013-0943.html
- http://rhn.redhat.com/errata/RHSA-2013-1028.html
- http://rhn.redhat.com/errata/RHSA-2013-1143.html
- http://rhn.redhat.com/errata/RHSA-2013-1437.html
- http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/
- http://www.securityfocus.com/bid/60043
- https://bugzilla.redhat.com/show_bug.cgi?id=880443
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- https://access.redhat.com/security/cve/CVE-2011-1096
- https://access.redhat.com/security/cve/CVE-2011-2487
- https://rhn.redhat.com/errata/RHSA-2013-0833.html
- https://rhn.redhat.com/errata/RHSA-2013-0834.html
- https://rhn.redhat.com/errata/RHSA-2013-0839.html
- https://rhn.redhat.com/errata/RHSA-2013-0876.html
- https://rhn.redhat.com/errata/RHSA-2013-0875.html
- https://rhn.redhat.com/errata/RHSA-2013-0874.html
- https://rhn.redhat.com/errata/RHSA-2013-0873.html
- https://rhn.redhat.com/errata/RHSA-2013-0943.html
- https://rhn.redhat.com/errata/RHSA-2013-0953.html
- https://rhn.redhat.com/errata/RHSA-2013-1006.html
- https://rhn.redhat.com/errata/RHSA-2013-1028.html
- https://rhn.redhat.com/errata/RHSA-2013-1143.html
- https://rhn.redhat.com/errata/RHSA-2013-1437.html
Frequently Asked Questions
What is the severity of CVE-2012-5575?
CVE-2012-5575 is considered a moderate severity vulnerability due to the potential for weak cryptographic algorithm usage.
How do I fix CVE-2012-5575?
To fix CVE-2012-5575, upgrade Apache CXF to version 2.5.10, 2.6.7, or 2.7.4 or later.
Which versions of Apache CXF are vulnerable to CVE-2012-5575?
Apache CXF versions 2.5.0 to 2.5.9, 2.6.0 to 2.6.6, and 2.7.0 to 2.7.3 are vulnerable to CVE-2012-5575.
What type of attacks can be performed using CVE-2012-5575?
CVE-2012-5575 allows attackers to force the use of weaker cryptographic algorithms during decryption.
Is there a patch available for CVE-2012-5575?
Yes, patches are available in the updated versions of Apache CXF released after the vulnerability was identified.
- agent/type
- agent/first-publish-date
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5575
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache cxf
- version/apache cxf/2.5.0
- version/apache cxf/2.5.1
- version/apache cxf/2.5.2
- version/apache cxf/2.5.3
- version/apache cxf/2.5.4
- version/apache cxf/2.5.5
- version/apache cxf/2.5.6
- version/apache cxf/2.5.7
- version/apache cxf/2.5.8
- version/apache cxf/2.5.9
- version/apache cxf/2.6.0
- version/apache cxf/2.6.1
- version/apache cxf/2.6.2
- version/apache cxf/2.6.3
- version/apache cxf/2.6.4
- version/apache cxf/2.6.5
- version/apache cxf/2.6.6
- version/apache cxf/2.7.0
- version/apache cxf/2.7.1
- version/apache cxf/2.7.2
- version/apache cxf/2.7.3
- vendor/redhat
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/5.0.0
- canonical/red hat jboss portal
- version/red hat jboss portal/4.3.0
- canonical/red hat jboss enterprise soa platform
- version/red hat jboss enterprise soa platform/4.3.0
- canonical/red hat jboss enterprise web platform
- version/red hat jboss enterprise web platform/5.2.0
- canonical/red hat jboss fuse esb enterprise
- version/red hat jboss fuse esb enterprise/7.1.0