CVE Database

CVE-2011-2487

Impact: Important
Public: 2012-09-04
CWE: CWE-327
Bugzilla: 713539: CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key

Details

The MITRE CVE dictionary describes this issue as:

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Find out more about CVE-2011-2487 from the MITRE CVE dictionary and NIST NVD.

Statement

This flaw affects Apache CXF (WSS4J) and jbossws-native as shipped with various JBoss products. It does not affect JBoss Enterprise Application Platform 6 and JBoss Application Server 7.1.1 and above. These products include WSS4J 1.6.5, which incorporates a fix for this flaw. On affected products, this flaw can be mitigated by using the RSA-OAEP key wrap algorithm, instead of the default RSA-v1.5 algorithm. To use RSA-OAEP, edit the jboss-ws-security configuration file and add the property keyWrapAlgorithm="rsa_oaep" to the encrypt element.

CVSS v2 metrics

Base Score: 7.8
Base Metrics: AV:N/AC:L/Au:N/C:C/I:N/A:N
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: None
Availability Impact: None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:0221 January 31, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jbossas) RHSA-2013:0193 January 24, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jbossas) RHSA-2013:0192 January 24, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jbossas) RHSA-2013:0191 January 24, 2013
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:0194 January 24, 2013
Red Hat JBoss Portal 4.3 RHSA-2013:1757 November 21, 2013
Red Hat JBoss Portal 5.2 RHSA-2013:0953 June 18, 2013
Red Hat JBoss SOA Platform 4.3 RHSA-2013:1757 November 21, 2013
Red Hat JBoss SOA Platform 5.3 RHSA-2013:0533 February 20, 2013
Red Hat JBoss Web Platform 5 for RHEL 4 AS (jbossas-web) RHSA-2013:0197 January 24, 2013
Red Hat JBoss Web Platform 5 for RHEL 5 Server (jbossas-web) RHSA-2013:0196 January 24, 2013
Red Hat JBoss Web Platform 5 for RHEL 6 Server (jbossas-web) RHSA-2013:0195 January 24, 2013
Red Hat JBoss Web Platform 5.2 RHSA-2013:0198 January 24, 2013

External References

https://www.nds.ruhr-uni-bochum.de/research/publications/breaking-xml-encryption-pkcs15/

Acknowledgements

Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for reporting this issue.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.