Bug 713539 (CVE-2011-2487) - CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key
Summary: CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distribut...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2487
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 883217 883218 883219 883220 883221 883222 918348
Blocks: 751414 789173 835396 849517 883225
TreeView+ depends on / blocked
 
Reported: 2011-06-15 17:47 UTC by Jan Lieskovsky
Modified: 2021-02-24 15:15 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in JBoss web services where the services used a weak symmetric encryption protocol, PKCS#1 v1.5. An attacker could use this weakness in chosen-ciphertext attacks to recover the symmetric key and conduct further attacks.
Clone Of:
Environment:
Last Closed: 2013-11-22 02:28:18 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0191 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:30:08 UTC
Red Hat Product Errata RHSA-2013:0192 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:28:23 UTC
Red Hat Product Errata RHSA-2013:0193 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:42:29 UTC
Red Hat Product Errata RHSA-2013:0194 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:08:14 UTC
Red Hat Product Errata RHSA-2013:0195 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:41:24 UTC
Red Hat Product Errata RHSA-2013:0196 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:55:46 UTC
Red Hat Product Errata RHSA-2013:0197 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:54:22 UTC
Red Hat Product Errata RHSA-2013:0198 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-25 00:07:17 UTC
Red Hat Product Errata RHSA-2013:0221 0 normal SHIPPED_LIVE Important: JBoss Enterprise BRMS Platform 5.3.1 update 2013-02-01 01:23:18 UTC
Red Hat Product Errata RHSA-2013:0533 0 normal SHIPPED_LIVE Important: JBoss Enterprise SOA Platform 5.3.1 update 2013-02-21 02:42:25 UTC
Red Hat Product Errata RHSA-2013:0953 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 5.2.2 security update 2013-06-18 18:48:45 UTC
Red Hat Product Errata RHSA-2013:1757 0 normal SHIPPED_LIVE Important: JBoss Web Services security update 2013-11-21 23:06:33 UTC

Description Jan Lieskovsky 2011-06-15 17:47:15 UTC
It was found that JBossWS, a J2EE Web Services server, leaked further
channel data, by using PKCS#1 v1.5 protocol family / public key encryption
scheme in order to distribute the symmetric key. A remote attacker, aware
of a cryptographic weakness of the PKCS#1 v1.5 public key encryption scheme,
could use this flaw to conduct chosen-encrypted-key attacks, leading to the
recovery of the entire plaintext form of the intended symmetric key, to be
distributed, by examining of the differences between SOAP responses, sent
from JBossWS server.

Acknowledgements:

Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum
for reporting this issue.

Comment 7 Jan Lieskovsky 2011-06-23 13:55:25 UTC
The CVE identifier of CVE-2011-2487 has been assigned to this issue.

Comment 33 David Jorm 2012-11-21 01:42:27 UTC
Statement:

This flaw affects Apache CXF (WSS4J) and jbossws-native as shipped with various JBoss products. It does not affect JBoss Enterprise Application Platform 6 and JBoss Application Server 7.1.1 and above. These products include WSS4J 1.6.5, which incorporates a fix for this flaw. On affected products, this flaw can be mitigated by using the RSA-OAEP key wrap algorithm, instead of the default RSA-v1.5 algorithm. To use RSA-OAEP, edit the jboss-ws-security configuration file and add the property keyWrapAlgorithm="rsa_oaep" to the encrypt element.

Comment 36 Vincent Danen 2012-12-11 19:11:55 UTC
Upstream advisory for Apache CXF:

http://cxf.apache.org/note-on-cve-2011-2487.html

Comment 37 errata-xmlrpc 2013-01-24 18:09:05 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html

Comment 38 errata-xmlrpc 2013-01-24 18:32:11 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html

Comment 39 errata-xmlrpc 2013-01-24 18:32:57 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html

Comment 40 errata-xmlrpc 2013-01-24 18:45:15 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html

Comment 41 errata-xmlrpc 2013-01-24 18:46:00 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html

Comment 42 errata-xmlrpc 2013-01-24 18:58:15 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html

Comment 43 errata-xmlrpc 2013-01-24 18:59:07 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html

Comment 44 errata-xmlrpc 2013-01-24 19:07:56 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html

Comment 45 errata-xmlrpc 2013-01-31 20:31:02 UTC
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html

Comment 46 errata-xmlrpc 2013-02-20 21:43:30 UTC
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.1

Via RHSA-2013:0533 https://rhn.redhat.com/errata/RHSA-2013-0533.html

Comment 47 errata-xmlrpc 2013-06-18 14:49:02 UTC
This issue has been addressed in following products:

  Red Hat JBoss Portal 5.2.2

Via RHSA-2013:0953 https://rhn.redhat.com/errata/RHSA-2013-0953.html

Comment 48 errata-xmlrpc 2013-11-22 00:41:42 UTC
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 4.3 CP05
  Red Hat JBoss Portal 4.3 CP07

Via RHSA-2013:1757 https://rhn.redhat.com/errata/RHSA-2013-1757.html


Note You need to log in before you can comment on or make changes to this bug.