Apache WSS4J 1.6.5 contained a countermeasure for Bleichenbacher's attack on XML Encryption, where the PKCS#1 v1.5 Key Transport Algorithm is used to encrypt symmetric keys as part of WS-Security. In particular, the fix avoided leaking information on whether decryption failed when decrypting the encrypted key or decrypting the message data. However, it is still possible to craft a message such that an attacker can tell where the decryption failure took place, and hence WSS4J is vulnerable to the original attack. See here for more information on the original fix for WSS4J 1.6.5: http://cxf.apache.org/note-on-cve-2011-2487.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2487 This has been fixed in revision: http://svn.apache.org/viewvc?view=revision&revision=1621329
Created wss4j tracking bugs for this issue: Affects: fedora-all [bug 1191455]
This issue has been addressed in the following products: Red Hat JBoss Data Grid 6.4 Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.0 Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html
This issue has been addressed in the following products: Red Hat JBoss A-MQ 6.2.0 Via RHSA-2015:1177 https://rhn.redhat.com/errata/RHSA-2015-1177.html
This issue has been addressed in the following products: Red Hat JBoss Fuse 6.2.0 Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html
This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376