CVE-2011-2487

jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.

Las implementaciones del mecanismo de transporte de claves PKCS#1 versión v1.5 para XMLEncryption en JBossWS y Apache WSS4J versiones anteriores a 1.6.5, son susceptibles a un ataque de tipo Bleichenbacher

A flaw was found in JBoss web services where the services used a weak symmetric encryption protocol, PKCS#1 v1.5. An attacker could use this weakness in chosen-ciphertext attacks to recover the symmetric key and conduct further attacks.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2011-06-15 CVE Reserved
2013-01-25 CVE Published
2023-07-15 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

CAPEC

References (19)

URL	Tag	Source
http://www.securityfocus.com/bid/57549	Third Party Advisory
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://www.nds.ruhr-uni-bochum.de/research/publications/breaking-xml-encryption-pkcs15	Technical Description

URL	Date	SRC

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2013-0191.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2013-0192.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2013-0193.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2013-0194.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2013-0195.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2013-0196.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2013-0198.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2013-0221.html	2023-02-13
https://bugzilla.redhat.com/show_bug.cgi?id=713539	2013-06-18

URL	Date	SRC
http://cxf.apache.org/note-on-cve-2011-2487.html	2023-02-13
https://exchange.xforce.ibmcloud.com/vulnerabilities/81737	2023-02-13
https://access.redhat.com/security/cve/CVE-2011-2487	2013-06-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				>= 2.4.0 <= 2.4.6 Search vendor "Apache" for product "Cxf" and version " >= 2.4.0 <= 2.4.6"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				>= 2.5.0 <= 2.5.2 Search vendor "Apache" for product "Cxf" and version " >= 2.5.0 <= 2.5.2"		-		Affected
Apache Search vendor "Apache"		Wss4j Search vendor "Apache" for product "Wss4j"				< 1.6.5 Search vendor "Apache" for product "Wss4j" and version " < 1.6.5"		-		Affected
Redhat Search vendor "Redhat"		Jboss Business Rules Management System Search vendor "Redhat" for product "Jboss Business Rules Management System"				5.3 Search vendor "Redhat" for product "Jboss Business Rules Management System" and version "5.3"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Text-only Advisories Search vendor "Redhat" for product "Jboss Enterprise Application Platform Text-only Advisories"				-		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform"				4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.2.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform"				4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.3.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Web Platform Search vendor "Redhat" for product "Jboss Enterprise Web Platform"				5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Web Platform" and version "5.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Middleware Text-only Advisories Search vendor "Redhat" for product "Jboss Middleware Text-only Advisories"				-		-		Affected
Redhat Search vendor "Redhat"		Jboss Portal Search vendor "Redhat" for product "Jboss Portal"				4.0.0 Search vendor "Redhat" for product "Jboss Portal" and version "4.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Web Services Search vendor "Redhat" for product "Jboss Web Services"				-		-		Affected