SB2013082106 - Improper verification of cryptographic signature in Apache Santuario XML Security for Java
Published: August 21, 2013 Updated: March 13, 2023
Security Bulletin ID
SB2013082106
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper verification of cryptographic signature (CVE-ID: CVE-2013-2172)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper verification of signature in jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java. A remote attacker can spoof the XML signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature".
Remediation
Install update from vendor's website.
References
- http://www.osvdb.org/94651
- http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc
- http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h
- http://rhn.redhat.com/errata/RHSA-2013-1217.html
- http://rhn.redhat.com/errata/RHSA-2013-1218.html
- http://rhn.redhat.com/errata/RHSA-2013-1220.html
- http://rhn.redhat.com/errata/RHSA-2013-1219.html
- http://rhn.redhat.com/errata/RHSA-2013-1208.html
- http://rhn.redhat.com/errata/RHSA-2013-1209.html
- http://rhn.redhat.com/errata/RHSA-2013-1207.html
- http://rhn.redhat.com/errata/RHSA-2013-1375.html
- http://rhn.redhat.com/errata/RHSA-2013-1437.html
- http://rhn.redhat.com/errata/RHSA-2013-1853.html
- http://rhn.redhat.com/errata/RHSA-2014-0212.html
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- http://www.debian.org/security/2014/dsa-3065
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://www.securityfocus.com/bid/60846
- http://www.ubuntu.com/usn/USN-2028-1
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
- https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E