Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: 7.4.21.GA
Affects Version/s: 7.4.19.GA
Component/s: Server, Web Services
Labels:
- regression

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.4.z.GA
Git Pull Request:
https://github.com/apache/santuario-xml-security-java/commit/31e3901971d91c18a87a58dc7b4bbcac3654b6a7
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Apps requiring a custom security provider may face an issue on 7.4.17+ if they depend on delayed provider selection. Security debug shows the delayed provider selection disabled by org.apache.xml.security.algorithms.implementations.SignatureBaseRSA:

 Signature: Signature.init() not first method called, disabling delayed provider selection 
 java.lang.Exception: Debug call trace 
        at java.security.Signature$Delegate.chooseFirstProvider(Signature.java:1054) 
        at java.security.Signature.getProvider(Signature.java:436) 
        at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.<init>(SignatureBaseRSA.java:64) 
        at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.<init>(SignatureBaseRSA.java:57) 
        at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1.<init>(SignatureBaseRSA.java:207)

That is a result of this commit in santuario 2.3.4, which we upgraded to for CVE-2024-28752.

We need to backport this fix or upgrade to santuario 2.3.5+ when available.

Assignee:: Lin Gao

Reporter:: Aaron Ogburn

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/11/21 4:49 PM

Updated:: 2024/11/22 3:16 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates