Red Hat Customer Portal

Skip to main content

CVE-2011-2487

Impact:
Important
Public Date:
2012-09-04
CWE:
CWE-327
Bugzilla:
713539: CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key

The MITRE CVE dictionary describes this issue as:

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Find out more about CVE-2011-2487 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This flaw affects Apache CXF (WSS4J) and jbossws-native as shipped with various JBoss products. It does not affect JBoss Enterprise Application Platform 6 and JBoss Application Server 7.1.1 and above. These products include WSS4J 1.6.5, which incorporates a fix for this flaw. On affected products, this flaw can be mitigated by using the RSA-OAEP key wrap algorithm, instead of the default RSA-v1.5 algorithm. To use RSA-OAEP, edit the jboss-ws-security configuration file and add the property keyWrapAlgorithm="rsa_oaep" to the encrypt element.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 7.8
Base Metrics AV:N/AC:L/Au:N/C:C/I:N/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Portal 4.3 RHSA-2013:1757 2013-11-21
Red Hat JBoss Portal 5.2 RHSA-2013:0953 2013-06-18
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:0194 2013-01-24
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (xml-security) RHSA-2013:0191 2013-01-24
Red Hat JBoss Web Platform 5.2 RHSA-2013:0198 2013-01-24
Red Hat JBoss SOA Platform 4.3 RHSA-2013:1757 2013-11-21
Red Hat JBoss SOA Platform 5.3 RHSA-2013:0533 2013-02-20
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:0221 2013-01-31
Red Hat JBoss Web Platform 5 for RHEL 6 Server (xml-security) RHSA-2013:0195 2013-01-24
Red Hat JBoss Web Platform 5 for RHEL 5 Server (xml-security) RHSA-2013:0196 2013-01-24
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (xml-security) RHSA-2013:0193 2013-01-24
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (xml-security) RHSA-2013:0192 2013-01-24
Red Hat JBoss Web Platform 5 for RHEL 4 AS (xml-security) RHSA-2013:0197 2013-01-24

Affected Packages State

Platform Package State
Red Hat Jboss Enterprise SOA Platform 5 cxf Affected
Red Hat Jboss Enterprise SOA Platform 4.2 jbossws-native Affected
Red Hat Jboss BRMS 5 cxf Affected
Red Hat JBoss Portal 5 jbossws-native Affected
Red Hat Jboss Portal Platform 4 jbossws-native Affected
Red Hat Jboss Enterprise SOA Platform 4.3 jbossws-native Affected

Acknowledgements

Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for reporting this issue.

External References

Last Modified