jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

Oracle GlassFish versions 2.1.1, 3.0.1, and 3.1.2 are affected by the following vulnerabilities :/n/n - The Java Server Faces is prone to multiple directory traversal vulnerabilities/n - The Metro component is affected by a remote security vulnerability which can be exploited via SOAP/n - The Metro component is also affected by a potential DoS condition which can be exploited via SOAP/n

James Forshaw discovered that, in Apache Santuario XML Security for Java, CanonicalizationMethod parameters were incorrectly validated: by specifying an arbitrary weak canonicalization algorithm, an attacker could spoof XML signatures.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

James Forshaw discovered that, in Apache Santuario XML Security for Java, CanonicalizationMethod parameters were incorrectly validated: by specifying an arbitrary weak canonicalization algorithm, an attacker could spoof XML signatures.

An updated xml-security package that fixes one security issue is now available for Red Hat JBoss Web Platform 5.2.0 for Red Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Apache Santuario implements the XML Signature Syntax and Processing and XML Encryption Syntax and Processing standards.

A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
(CVE-2013-2172)

Warning: Before applying this update, back up your existing Red Hat JBoss Web Platform installation (including all applications and configuration files).

All users of Red Hat JBoss Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect.

The version of JBoss Enterprise Application Platform installed on the remote system is affected by the following issues :

  - Flaws in the mod_info, mod_status, mod_imagemap,     mod_ldap, and mod_proxy_ftp modules can allow an     attacker to perform cross-site scripting (XSS) attacks.
    (CVE-2012-3499)

  - Flaws in the web interface of the mod_proxy_balancer     module can allow a remote attacker to perform XSS     attacks. (CVE-2012-4558)

  - A flaw in mod_rewrite can allow remote attackers to     execute arbitrary commands via an HTTP request     containing an escape sequence for a terminal emulator.
    (CVE-2013-1862)

  - A flaw in the method by which the mod_dav module     handles merge requests can allow an attacker to create     a denial of service by sending a crafted merge request     that contains URIs that are not configured for DAV.
    (CVE-2013-1896)

  - A flaw in PicketBox can allow local users to obtain the     admin encryption key by reading the Vault data file.
    (CVE-2013-1921)

  - A flaw in Apache Santuario XML Security can allow     context-dependent attackers to spoof an XML Signature     by using the CanonicalizationMethod parameter to     specify an arbitrary weak algorithm. (CVE-2013-2172)

  - A flaw in JGroup's DiagnosticsHandler can allow remote     attackers to obtain sensitive information and execute     arbitrary code by re-using valid credentials.
    (CVE-2013-4112)

The version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues:

  - A flaw in CSRF prevention filter in JBoss Web could allow     remote attackers to bypass the cross-site request forgery     (CSRF) protection mechanism via a request that lacks a     session identifier. (CVE-2012-4431)

  - A flaw that occurs when the COOKIE session tracking     method is used can allow attackers to hijack users'     sessions. (CVE-2012-4529)

  - A flaw that occurs when multiple applications use the     same custom authorization module class name can allow a     local attacker to deploy a malicious application that     overrides the custom authorization modules provided by     other applications. (CVE-2012-4572)

  - The framework does not verify that a specified     cryptographic algorithm is allowed by the     WS-SecurityPolicy AlgorithmSuite definition before     decrypting.  This can allow remote attackers to force     the system to use weaker cryptographic algorithms than     intended and makes it easier to decrypt communications.
    (CVE-2012-5575)

  - A flaw in PicketBox can allow local users to obtain the     admin encryption key by reading the Vault data file.
    (CVE-2013-1921)

  - A session fixation flaw was found in the     FormAuthenticator module. (CVE-2013-2067)

  - A flaw that occurs when a JGroups channel was started     results in the JGroups diagnostics service being enabled     by default with no authentication via IP multicast. A     remote attacker can make use of this flaw to read     diagnostics information. (CVE-2013-2102)

  - A flaw in the StAX parser implementation can allow     remote attackers to cause a denial of service via     crafted XML. (CVE-2013-2160)

  - A flaw in Apache Santuario XML Security can allow     context-dependent attackers to spoof an XML Signature     by using the CanonicalizationMethod parameter to     specify an arbitrary weak algorithm. (CVE-2013-2172)

  - A flaw in JGroup's DiagnosticsHandler can allow remote     attackers to obtain sensitive information and execute     arbitrary code by re-using valid credentials.
    (CVE-2013-4112)

  - A flaw in the manner in which authenticated connections     were cached on the server by remote-naming can allow     remote attackers to hijack sessions by using a remoting     client. (CVE-2013-4128)

  - A flaw in the manner in which connections for EJB     invocations were cached on the server can allow remote     attackers to hijack sessions by using an EJB client.
    (CVE-2013-4213)

James Forshaw discovered that Apache XML Security for Java incorrectly validated CanonicalizationMethod parameters. An attacker could use this flaw to spoof XML signatures.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities in the following components :

  - Java Server Faces
  - Metro

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:1208 advisory.

    Red Hat JBoss Enterprise Application Platform 6 is a platform for Java     applications based on JBoss Application Server 7.

    This release serves as a replacement for Red Hat JBoss Enterprise     Application Platform 6.1.0, and includes bug fixes and enhancements. Refer     to the 6.1.1 Release Notes for information on the most significant of these     changes, available shortly from     https://access.redhat.com/site/documentation/

    Security fixes:

    Cross-site scripting (XSS) flaws were found in the mod_info, mod_status,     mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could     possibly use these flaws to perform XSS attacks if they were able to make     the victim's browser generate an HTTP request with a specially-crafted Host     header. (CVE-2012-3499)

    Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer     module's manager web interface. If a remote attacker could trick a user,     who was logged into the manager web interface, into visiting a     specially-crafted URL, it would lead to arbitrary web script execution in     the context of the user's manager interface session. (CVE-2012-4558)

    A flaw was found in the way the mod_dav module handled merge requests. An     attacker could use this flaw to send a crafted merge request that contains     URIs that are not configured for DAV, causing the httpd child process to     crash. (CVE-2013-1896)

    A flaw was found in the way Apache Santuario XML Security for Java     validated XML signatures. Santuario allowed a signature to specify an     arbitrary canonicalization algorithm, which would be applied to the     SignedInfo XML fragment. A remote attacker could exploit this to spoof an     XML signature via a specially-crafted XML signature block. (CVE-2013-2172)

    It was found that mod_rewrite did not filter terminal escape sequences from     its log file. If mod_rewrite was configured with the RewriteLog directive,     a remote attacker could use specially-crafted HTTP requests to inject     terminal escape sequences into the mod_rewrite log file. If a victim viewed     the log file with a terminal emulator, it could result in arbitrary command     execution with the privileges of that user. (CVE-2013-1862)

    The data file used by PicketBox Vault to store encrypted passwords contains     a copy of its own admin key. The file is encrypted using only this admin     key, not the corresponding JKS key. A local attacker with permission to     read the vault data file could read the admin key from the file, and use it     to decrypt the file and read the stored passwords in clear text.
    (CVE-2013-1921)

    A flaw was found in JGroup's DiagnosticsHandler that allowed an attacker on     an adjacent network to reuse the credentials from a previous successful     authentication. This could be exploited to read diagnostic information     (information disclosure) and attain limited remote code execution.
    (CVE-2013-4112)

    Warning: Before applying this update, back up your existing Red Hat JBoss     Enterprise Application Platform installation and deployed applications.
    Refer to the Solution section for further details.

    All users of Red Hat JBoss Enterprise Application Platform 6.1.0 on Red Hat     Enterprise Linux 6 are advised to upgrade to these updated packages. The     JBoss server process must be restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:1207 advisory.

    Red Hat JBoss Enterprise Application Platform 6 is a platform for Java     applications based on JBoss Application Server 7.

    This release serves as a replacement for Red Hat JBoss Enterprise     Application Platform 6.1.0, and includes bug fixes and enhancements. Refer     to the 6.1.1 Release Notes for information on the most significant of these     changes, available shortly from     https://access.redhat.com/site/documentation/

    Security fixes:

    Cross-site scripting (XSS) flaws were found in the mod_info, mod_status,     mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could     possibly use these flaws to perform XSS attacks if they were able to make     the victim's browser generate an HTTP request with a specially-crafted Host     header. (CVE-2012-3499)

    Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer     module's manager web interface. If a remote attacker could trick a user,     who was logged into the manager web interface, into visiting a     specially-crafted URL, it would lead to arbitrary web script execution in     the context of the user's manager interface session. (CVE-2012-4558)

    A flaw was found in the way the mod_dav module handled merge requests. An     attacker could use this flaw to send a crafted merge request that contains     URIs that are not configured for DAV, causing the httpd child process to     crash. (CVE-2013-1896)

    A flaw was found in the way Apache Santuario XML Security for Java     validated XML signatures. Santuario allowed a signature to specify an     arbitrary canonicalization algorithm, which would be applied to the     SignedInfo XML fragment. A remote attacker could exploit this to spoof an     XML signature via a specially-crafted XML signature block. (CVE-2013-2172)

    It was found that mod_rewrite did not filter terminal escape sequences from     its log file. If mod_rewrite was configured with the RewriteLog directive,     a remote attacker could use specially-crafted HTTP requests to inject     terminal escape sequences into the mod_rewrite log file. If a victim viewed     the log file with a terminal emulator, it could result in arbitrary command     execution with the privileges of that user. (CVE-2013-1862)

    The data file used by PicketBox Vault to store encrypted passwords contains     a copy of its own admin key. The file is encrypted using only this admin     key, not the corresponding JKS key. A local attacker with permission to     read the vault data file could read the admin key from the file, and use it     to decrypt the file and read the stored passwords in clear text.
    (CVE-2013-1921)

    A flaw was found in JGroup's DiagnosticsHandler that allowed an attacker on     an adjacent network to reuse the credentials from a previous successful     authentication. This could be exploited to read diagnostic information     (information disclosure) and attain limited remote code execution.
    (CVE-2013-4112)

    Warning: Before applying this update, back up your existing Red Hat JBoss     Enterprise Application Platform installation and deployed applications.
    Refer to the Solution section for further details.

    All users of Red Hat JBoss Enterprise Application Platform 6.1.0 on Red Hat     Enterprise Linux 5 are advised to upgrade to these updated packages. The     JBoss server process must be restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An updated xml-security package that fixes one security issue is now available for Red Hat JBoss Enterprise Application Platform 5.2.0 for Red Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Apache Santuario implements the XML Signature Syntax and Processing and XML Encryption Syntax and Processing standards.

A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
(CVE-2013-2172)

Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation (including all applications and configuration files).

All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect.

ID	Name	Product	Family	Severity
9000	Oracle GlassFish Server 2.1.1 / 3.0.1 / 3.1.2 Multiple Vulnerabilities (October 2013 CPU)	Nessus Network Monitor	Web Servers	medium
82230	Debian DLA-85-1 : libxml-security-java security update	Nessus	Debian Local Security Checks	medium
78896	Debian DSA-3065-1 : libxml-security-java - security update	Nessus	Debian Local Security Checks	medium
76290	RHEL 5 / 6 : xml-security in JBoss EWP (RHSA-2013:1219)	Nessus	Red Hat Local Security Checks	medium
72238	JBoss Enterprise Application Platform 6.1.1 Update (RHSA-2013:1209)	Nessus	Red Hat Local Security Checks	medium
72237	JBoss Portal 6.1.0 Update (RHSA-2013:1437)	Nessus	Red Hat Local Security Checks	high
70875	Ubuntu 10.04 LTS : libxml-security-java vulnerability (USN-2028-1)	Nessus	Ubuntu Local Security Checks	medium
70482	Oracle GlassFish Server Multiple Vulnerabilities (October 2013 CPU)	Nessus	Web Servers	medium
69883	RHEL 6 : Red Hat JBoss Enterprise Application Platform 6.1.1 update (Moderate) (RHSA-2013:1208)	Nessus	Red Hat Local Security Checks	medium
69882	RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.1.1 update (Moderate) (RHSA-2013:1207)	Nessus	Red Hat Local Security Checks	medium
69823	RHEL 5 / 6 : xml-security (RHSA-2013:1217)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2013-2172

medium

Tenable Plugins

medium

medium

medium

medium

medium

high

medium

medium

medium

medium

medium