Web application abuses : Apache Axis2 <= 1.6.2 Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.111004

Categoría: Web application abuses

Título: Apache Axis2 <= 1.6.2 Multiple Vulnerabilities

Resumen: Apache Axis2 is prone to multiple vulnerabilities.

Descripción: Summary:
Apache Axis2 is prone to multiple vulnerabilities.

Vulnerability Insight:
The following flaws exist:

- CVE-2012-5785: a security bypass vulnerability because the application fails to properly
validate SSL certificates from the server

- CVE-2012-4418: a security vulnerability involving XML signature wrapping

- CVE-2012-5351: a SAML assertion that lacks a Signature element, aka a
'Signature exclusion attack'

Vulnerability Impact:
Successfully exploiting these issues allows attackers to:

- CVE-2012-5785: perform man-in-the-middle attacks or impersonate trusted servers, which will aid
in further attacks

- CVE-2012-4418: may allow unauthenticated attackers to construct specially crafted messages that
can be successfully verified and contain arbitrary content. This may aid in further attacks

- CVE-2012-5351: allows remote attackers to forge messages and bypass authentication

Affected Software/OS:
The issue affects versions up to 1.6.2.

Solution:
No known solution was made available for at least one year
since the disclosure of this vulnerability. Likely none will be provided anymore. General solution
options are to upgrade to a newer release, disable respective features, remove the product or
replace the product by another one.

CVSS Score:
6.4

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2012-5785
BugTraq ID: 56408
http://www.securityfocus.com/bid/56408
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
http://secunia.com/advisories/51219
XForce ISS Database: apache-axis2-ssl-spoofing(79830)
https://exchange.xforce.ibmcloud.com/vulnerabilities/79830
Common Vulnerability Exposure (CVE) ID: CVE-2012-4418
55508
http://www.securityfocus.com/bid/55508
[oss-security] 20120912 CVE Request: Apache Axis2 XML Signature Wrapping Attack
http://www.openwall.com/lists/oss-security/2012/09/12/1
[oss-security] 20120912 Re: CVE Request: Apache Axis2 XML Signature Wrapping Attack
http://www.openwall.com/lists/oss-security/2012/09/13/1
http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf
https://bugzilla.redhat.com/show_bug.cgi?id=856755
Common Vulnerability Exposure (CVE) ID: CVE-2012-5351
https://www.oracle.com/security-alerts/cpuapr2022.html
XForce ISS Database: apache-axis2-saml-sec-bypass(79487)
https://exchange.xforce.ibmcloud.com/vulnerabilities/79487

Copyright Copyright (C) 2015 SCHUTZWERK GmbH

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.111004
Categoría:	Web application abuses
Título:	Apache Axis2 <= 1.6.2 Multiple Vulnerabilities
Resumen:	Apache Axis2 is prone to multiple vulnerabilities.
Descripción:	Summary: Apache Axis2 is prone to multiple vulnerabilities. Vulnerability Insight: The following flaws exist: - CVE-2012-5785: a security bypass vulnerability because the application fails to properly validate SSL certificates from the server - CVE-2012-4418: a security vulnerability involving XML signature wrapping - CVE-2012-5351: a SAML assertion that lacks a Signature element, aka a 'Signature exclusion attack' Vulnerability Impact: Successfully exploiting these issues allows attackers to: - CVE-2012-5785: perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks - CVE-2012-4418: may allow unauthenticated attackers to construct specially crafted messages that can be successfully verified and contain arbitrary content. This may aid in further attacks - CVE-2012-5351: allows remote attackers to forge messages and bypass authentication Affected Software/OS: The issue affects versions up to 1.6.2. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 6.4 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2012-5785 BugTraq ID: 56408 http://www.securityfocus.com/bid/56408 http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf http://secunia.com/advisories/51219 XForce ISS Database: apache-axis2-ssl-spoofing(79830) https://exchange.xforce.ibmcloud.com/vulnerabilities/79830 Common Vulnerability Exposure (CVE) ID: CVE-2012-4418 55508 http://www.securityfocus.com/bid/55508 [oss-security] 20120912 CVE Request: Apache Axis2 XML Signature Wrapping Attack http://www.openwall.com/lists/oss-security/2012/09/12/1 [oss-security] 20120912 Re: CVE Request: Apache Axis2 XML Signature Wrapping Attack http://www.openwall.com/lists/oss-security/2012/09/13/1 http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf https://bugzilla.redhat.com/show_bug.cgi?id=856755 Common Vulnerability Exposure (CVE) ID: CVE-2012-5351 https://www.oracle.com/security-alerts/cpuapr2022.html XForce ISS Database: apache-axis2-saml-sec-bypass(79487) https://exchange.xforce.ibmcloud.com/vulnerabilities/79487
Copyright	Copyright (C) 2015 SCHUTZWERK GmbH