Bug 713539 (CVE-2011-2487)
Summary: | CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | asoldano, bressers, djorm, fnasser, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A flaw was found in JBoss web services where the services used a weak symmetric encryption protocol, PKCS#1 v1.5. An attacker could use this weakness in chosen-ciphertext attacks to recover the symmetric key and conduct further attacks.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-11-22 02:28:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 883217, 883218, 883219, 883220, 883221, 883222, 918348 | ||
Bug Blocks: | 751414, 789173, 835396, 849517, 883225 |
Description
Jan Lieskovsky
2011-06-15 17:47:15 UTC
The CVE identifier of CVE-2011-2487 has been assigned to this issue. External References: https://www.nds.ruhr-uni-bochum.de/research/publications/breaking-xml-encryption-pkcs15/ Statement: This flaw affects Apache CXF (WSS4J) and jbossws-native as shipped with various JBoss products. It does not affect JBoss Enterprise Application Platform 6 and JBoss Application Server 7.1.1 and above. These products include WSS4J 1.6.5, which incorporates a fix for this flaw. On affected products, this flaw can be mitigated by using the RSA-OAEP key wrap algorithm, instead of the default RSA-v1.5 algorithm. To use RSA-OAEP, edit the jboss-ws-security configuration file and add the property keyWrapAlgorithm="rsa_oaep" to the encrypt element. Upstream advisory for Apache CXF: http://cxf.apache.org/note-on-cve-2011-2487.html This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html This issue has been addressed in following products: JBEAP 5 for RHEL 5 Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html This issue has been addressed in following products: JBEAP 5 for RHEL 6 Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html This issue has been addressed in following products: JBEWP 5 for RHEL 6 Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html This issue has been addressed in following products: JBEAP 5 for RHEL 4 Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html This issue has been addressed in following products: JBEWP 5 for RHEL 4 Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html This issue has been addressed in following products: JBEWP 5 for RHEL 5 Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.3.1 Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.3.1 Via RHSA-2013:0533 https://rhn.redhat.com/errata/RHSA-2013-0533.html This issue has been addressed in following products: Red Hat JBoss Portal 5.2.2 Via RHSA-2013:0953 https://rhn.redhat.com/errata/RHSA-2013-0953.html This issue has been addressed in following products: Red Hat JBoss SOA Platform 4.3 CP05 Red Hat JBoss Portal 4.3 CP07 Via RHSA-2013:1757 https://rhn.redhat.com/errata/RHSA-2013-1757.html |