NVD Vulnerability Detail

CVE-2013-2172

Summary	jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
Publication Date	Aug. 21, 2013, 7:55 a.m.
Registration Date	Jan. 26, 2021, 3:37 p.m.
Last Update	Nov. 21, 2024, 10:51 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://rhn.redhat.com/errata/RHSA-2013-1207.html
2	http://rhn.redhat.com/errata/RHSA-2013-1207.html
3	http://rhn.redhat.com/errata/RHSA-2013-1208.html
4	http://rhn.redhat.com/errata/RHSA-2013-1208.html
5	http://rhn.redhat.com/errata/RHSA-2013-1209.html
6	http://rhn.redhat.com/errata/RHSA-2013-1209.html
7	http://rhn.redhat.com/errata/RHSA-2013-1217.html
8	http://rhn.redhat.com/errata/RHSA-2013-1217.html
9	http://rhn.redhat.com/errata/RHSA-2013-1218.html
10	http://rhn.redhat.com/errata/RHSA-2013-1218.html
11	http://rhn.redhat.com/errata/RHSA-2013-1219.html
12	http://rhn.redhat.com/errata/RHSA-2013-1219.html
13	http://rhn.redhat.com/errata/RHSA-2013-1220.html
14	http://rhn.redhat.com/errata/RHSA-2013-1220.html
15	http://rhn.redhat.com/errata/RHSA-2013-1375.html
16	http://rhn.redhat.com/errata/RHSA-2013-1375.html
17	http://rhn.redhat.com/errata/RHSA-2013-1437.html
18	http://rhn.redhat.com/errata/RHSA-2013-1437.html
19	http://rhn.redhat.com/errata/RHSA-2013-1853.html
20	http://rhn.redhat.com/errata/RHSA-2013-1853.html
21	http://rhn.redhat.com/errata/RHSA-2014-0212.html
22	http://rhn.redhat.com/errata/RHSA-2014-0212.html
23	http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc	Vendor Advisory
24	http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc	Vendor Advisory
25	http://seclists.org/fulldisclosure/2014/Dec/23
26	http://seclists.org/fulldisclosure/2014/Dec/23
27	http://secunia.com/advisories/54019	Vendor Advisory
28	http://secunia.com/advisories/54019	Vendor Advisory
29	http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h	Patch
30	http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h	Patch
31	http://www.debian.org/security/2014/dsa-3065
32	http://www.debian.org/security/2014/dsa-3065
33	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
34	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
35	http://www.osvdb.org/94651
36	http://www.osvdb.org/94651
37	http://www.securityfocus.com/archive/1/534161/100/0/threaded
38	http://www.securityfocus.com/archive/1/534161/100/0/threaded
39	http://www.securityfocus.com/bid/60846
40	http://www.securityfocus.com/bid/60846
41	http://www.ubuntu.com/usn/USN-2028-1
42	http://www.ubuntu.com/usn/USN-2028-1
43	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
44	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
45	https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
46	https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
47	https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
48	https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-310	暗号の問題	https://cwe.mitre.org/data/definitions/310.html

JVN Vulnerability Information

Apache Santuario XML Security for Java における XML 署名を偽装される脆弱性

Title	Apache Santuario XML Security for Java における XML 署名を偽装される脆弱性
Summary	Apache Santuario XML Security for Java の jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java には、XML 署名を偽装される脆弱性が存在します。
Possible impacts	攻撃者により、任意の脆弱な "署名の SignedInfo パートに適用する正規化アルゴリズム (canonicalization algorithm to apply to the SignedInfo part of the Signature)" を設定する CanonicalizationMethod パラメータを使用されることで、XML 署名を偽装される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 17, 2013, midnight
Registration Date	Aug. 22, 2013, 6:49 p.m.
Last Update	Aug. 3, 2015, 6:14 p.m.

Affected System

Apache Software Foundation

Apache Santuario XML Security for Java 1.4.8 未満の 1.4.x

Apache Santuario XML Security for Java 1.5.5 未満の 1.5.x

オラクル

Oracle Fusion Middleware の GlassFish Communications Server 2.0

Oracle GlassFish Server 2.1.1

Oracle GlassFish Server 3.0.1

Oracle GlassFish Server 3.1.2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Apache Santuario
1	CVE-2013-2172	http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc
Common Vulnerabilities and Exposures (CVE)
2	CVE-2013-2172	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2172
National Vulnerability Database (NVD)
3	CVE-2013-2172	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2172

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html

ベンダー情報

No	Name	URL
Apache-SVN
1	Diff of /santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java	http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&di
Oracle Critical Patch Update
2	Oracle Critical Patch Update Advisory - July 2014	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
3	Oracle Critical Patch Update Advisory - October 2013	http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
4	Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html
5	Text Form of Oracle Critical Patch Update - October 2013 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuoct2013verbose-1899842.html
Red Hat Bugzilla
6	Bug 999263	https://bugzilla.redhat.com/show_bug.cgi?id=999263
Red Hat Security Advisory
7	RHSA-2013:1207	http://rhn.redhat.com/errata/RHSA-2013-1207.html
8	RHSA-2013:1208	http://rhn.redhat.com/errata/RHSA-2013-1208.html
9	RHSA-2013:1209	http://rhn.redhat.com/errata/RHSA-2013-1209.html
10	RHSA-2013:1217	http://rhn.redhat.com/errata/RHSA-2013-1217.html
11	RHSA-2013:1218	http://rhn.redhat.com/errata/RHSA-2013-1218.html
12	RHSA-2013:1219	http://rhn.redhat.com/errata/RHSA-2013-1219.html
13	RHSA-2013:1220	http://rhn.redhat.com/errata/RHSA-2013-1220.html
14	RHSA-2013:1375	http://rhn.redhat.com/errata/RHSA-2013-1375.html
15	RHSA-2013:1437	http://rhn.redhat.com/errata/RHSA-2013-1437.html
16	RHSA-2013:1853	http://rhn.redhat.com/errata/RHSA-2013-1853.html
17	RHSA-2014:0212	http://rhn.redhat.com/errata/RHSA-2014-0212.html
18	RHSA-2014:0400	https://rhn.redhat.com/errata/RHSA-2014-0400.html
SECURITY BLOG
19	October 2013 Critical Patch Update Released	https://blogs.oracle.com/security/entry/october_2013_critical_patch_update

Change Log

No	Changed Details	Date of change
0	[2013年08月22日] 掲載 [2013年10月23日] 影響を受けるシステム：オラクル (Oracle Critical Patch Update Advisory - October 2013) の情報を追加ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - October 2013) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - October 2013 Risk Matrices) を追加ベンダ情報：オラクル (October 2013 Critical Patch Update Released) を追加 [2013年11月01日] ベンダ情報：レッドハット (RHSA-2013:1207) を追加ベンダ情報：レッドハット (RHSA-2013:1208) を追加ベンダ情報：レッドハット (RHSA-2013:1209) を追加ベンダ情報：レッドハット (RHSA-2013:1217) を追加ベンダ情報：レッドハット (RHSA-2013:1218) を追加ベンダ情報：レッドハット (RHSA-2013:1219) を追加ベンダ情報：レッドハット (RHSA-2013:1220) を追加ベンダ情報：レッドハット (RHSA-2013:1375) を追加ベンダ情報：レッドハット (RHSA-2013:1437) を追加 [2014年02月27日] ベンダ情報：レッドハット (Bug 999263) を追加ベンダ情報：レッドハット (RHSA-2013:1853) を追加ベンダ情報：レッドハット (RHSA-2014:0212) を追加 [2014年07月25日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices) を追加 [2015年08月03日] ベンダ情報：レッドハット (RHSA-2014:0400) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:::::::*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:::::::*