Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Sep 2012 02:06:32 -0400 (EDT)
From: David Jorm <djorm@...hat.com>
To: "oss-security " <oss-security@...ts.openwall.com>
Subject: CVE Request: Apache Axis2 XML Signature Wrapping Attack

Juraj Somorovsky and colleagues have described an XML Signature Wrapping (XSW) attack against a variety of platforms in a paper delivered at USENIX [0]. Various platforms are covered, including OpenSAML and Apache Axis2. OpenSAML is covered by CVE-2011-1411 [1], but I can't find a CVE ID for Axis2. Could one please be assigned? The OpenSAML CVE ID is 2011 because some vendors were given pre-notification of the issue in 2011. Since all the details were made public in 2012, I suggest assigning a 2012 CVE ID for Axis2.

Thanks
-- 
David Jorm / Red Hat Security Response Team

[0] http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1411

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ