Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1191446 - (CVE-2015-0226) CVE-2015-0226 wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)
CVE-2015-0226 wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (i...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150210,repo...
: Security
Depends On: 1191455 1196854 1196855 1196856 1196857 1196858 1196859 1196860 1196861 1196862 1196863 1196864 1196865 1196866 1196867 1196868 1196869 1196870 1196871 1196872 1196873 1196874 1196875 1196876
Blocks: 1191452 1206755 1212496 1232965 1258580 1258582 1340536
  Show dependency treegraph
 
Reported: 2015-02-11 05:47 EST by Vasyl Kaigorodov
Modified: 2016-07-12 17:24 EDT (History)
61 users (show)

See Also:
Fixed In Version: wss4j 1.6.17, wss4j 2.0.2
Doc Type: Bug Fix
Doc Text:
It was found that a prior countermeasure in Apache WSS4J for Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an exception that permitted an attacker to determine the failure of the attempted attack, thereby leaving WSS4J vulnerable to the attack. The original flaw allowed a remote attacker to recover the entire plain text form of a symmetric key.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-12 17:24:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0773 normal SHIPPED_LIVE Important: Red Hat JBoss Data Grid 6.4.1 update 2015-04-01 14:48:20 EDT
Red Hat Product Errata RHSA-2015:0846 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 16:17:12 EDT
Red Hat Product Errata RHSA-2015:0847 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 16:13:53 EDT
Red Hat Product Errata RHSA-2015:0848 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 16:26:01 EDT
Red Hat Product Errata RHSA-2015:0849 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 15:39:06 EDT
Red Hat Product Errata RHSA-2015:1176 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.2.0 update 2015-06-23 16:52:52 EDT
Red Hat Product Errata RHSA-2015:1177 normal SHIPPED_LIVE Important: Red Hat JBoss A-MQ 6.2.0 update 2015-06-23 16:52:10 EDT
Red Hat Product Errata RHSA-2016:1376 normal SHIPPED_LIVE Critical: Red Hat JBoss SOA Platform security update 2016-06-30 21:06:13 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-02-11 05:47:44 EST 
Apache WSS4J 1.6.5 contained a countermeasure for Bleichenbacher's attack on XML Encryption, where the PKCS#1 v1.5 Key Transport Algorithm is used to encrypt symmetric keys as part of WS-Security. In particular, the fix avoided leaking information on whether decryption failed when decrypting the encrypted key or decrypting the message data.

However, it is still possible to craft a message such that an attacker can tell where the decryption failure took place, and hence WSS4J is vulnerable to the original attack. 

See here for more information on the original fix for WSS4J 1.6.5:

http://cxf.apache.org/note-on-cve-2011-2487.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2487

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1621329
Comment 1 Vasyl Kaigorodov 2015-02-11 05:57:46 EST 
Created wss4j tracking bugs for this issue:

Affects: fedora-all [bug 1191455]
Comment 6 errata-xmlrpc 2015-04-01 10:49:11 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Data Grid 6.4

Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html
Comment 7 errata-xmlrpc 2015-04-16 11:39:39 EDT 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.0

Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html
Comment 8 errata-xmlrpc 2015-04-16 12:30:01 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html
Comment 9 errata-xmlrpc 2015-04-16 12:32:27 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html
Comment 10 errata-xmlrpc 2015-04-16 12:35:01 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html
Comment 11 errata-xmlrpc 2015-06-23 12:52:29 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss A-MQ 6.2.0

Via RHSA-2015:1177 https://rhn.redhat.com/errata/RHSA-2015-1177.html
Comment 12 errata-xmlrpc 2015-06-23 12:53:31 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.2.0

Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html
Comment 14 errata-xmlrpc 2016-06-30 17:06:26 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.