The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Santuario XML Security for Java: incorrect check of Streaming XML Signature

Synthesis of the vulnerability 

An attacker can create a malicious XML document, which is accepted as correctly signed by StAX of Apache Santuario XML Security for Java.
Impacted systems: Apache XML Security for Java.
Severity of this alert: 3/4.
Creation date: 19/01/2015.
Références of this alert: CVE-2014-8152, VIGILANCE-VUL-16001.

Description of the vulnerability 

The Apache Santuario XML Security for Java product version 2 implements the support of Streaming XML Signature (StAX), which is used to check the signature of a document by reading it progressively (via a Stream Reader).

However, the XML document can be altered, without being detected by the StAX signature verification function.

An attacker can therefore create a malicious XML document, which is accepted as correctly signed by StAX of Apache Santuario XML Security for Java.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat impacts software or systems such as Apache XML Security for Java.

Our Vigil@nce team determined that the severity of this computer threat is important.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this cybersecurity bulletin.

Solutions for this threat 

Apache Santuario XML Security for Java: version 2.0.3.
The version 2.0.3 is fixed:
  http://santuario.apache.org/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security workaround. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.