CVE-2011-2487
jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.
Las implementaciones del mecanismo de transporte de claves PKCS#1 versiĆ³n v1.5 para XMLEncryption en JBossWS y Apache WSS4J versiones anteriores a 1.6.5, son susceptibles a un ataque de tipo Bleichenbacher
A flaw was found in JBoss web services where the services used a weak symmetric encryption protocol, PKCS#1 v1.5. An attacker could use this weakness in chosen-ciphertext attacks to recover the symmetric key and conduct further attacks.
Red Hat JBoss Portal is the open source implementation of the Java EE suite of services and Portal services running atop Red Hat JBoss Enterprise Application Platform. JBoss Web Services leaked side-channel data when distributing symmetric keys, allowing a remote attacker to recover the entire plain text form of a symmetric key. Spring framework could possibly evaluate Expression Language expressions twice, allowing a remote attacker to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2011-06-15 CVE Reserved
- 2013-06-18 CVE Published
- 2024-08-06 CVE Updated
- 2025-04-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CAPEC
References (19)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2013-0191.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0192.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0193.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0194.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0195.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0196.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0198.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0221.html | 2023-02-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=713539 | 2013-06-18 |
| URL | Date | SRC |
|---|---|---|
| http://cxf.apache.org/note-on-cve-2011-2487.html | 2023-02-13 | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/81737 | 2023-02-13 | |
| https://access.redhat.com/security/cve/CVE-2011-2487 | 2013-06-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | >= 2.4.0 <= 2.4.6 Search vendor "Apache" for product "Cxf" and version " >= 2.4.0 <= 2.4.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | >= 2.5.0 <= 2.5.2 Search vendor "Apache" for product "Cxf" and version " >= 2.5.0 <= 2.5.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Wss4j Search vendor "Apache" for product "Wss4j" | < 1.6.5 Search vendor "Apache" for product "Wss4j" and version " < 1.6.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Business Rules Management System Search vendor "Redhat" for product "Jboss Business Rules Management System" | 5.3 Search vendor "Redhat" for product "Jboss Business Rules Management System" and version "5.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Text-only Advisories Search vendor "Redhat" for product "Jboss Enterprise Application Platform Text-only Advisories" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.2.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Web Platform Search vendor "Redhat" for product "Jboss Enterprise Web Platform" | 5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Web Platform" and version "5.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Middleware Text-only Advisories Search vendor "Redhat" for product "Jboss Middleware Text-only Advisories" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Portal Search vendor "Redhat" for product "Jboss Portal" | 4.0.0 Search vendor "Redhat" for product "Jboss Portal" and version "4.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Web Services Search vendor "Redhat" for product "Jboss Web Services" | - | - |
Affected
| ||||||