// For flags

CVE-2011-2487

jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.

Las implementaciones del mecanismo de transporte de claves PKCS#1 versiĆ³n v1.5 para XMLEncryption en JBossWS y Apache WSS4J versiones anteriores a 1.6.5, son susceptibles a un ataque de tipo Bleichenbacher

A flaw was found in JBoss web services where the services used a weak symmetric encryption protocol, PKCS#1 v1.5. An attacker could use this weakness in chosen-ciphertext attacks to recover the symmetric key and conduct further attacks.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2011-06-15 CVE Reserved
  • 2013-01-25 CVE Published
  • 2023-07-15 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CAPEC
References (19)
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
>= 2.4.0 <= 2.4.6
Search vendor "Apache" for product "Cxf" and version " >= 2.4.0 <= 2.4.6"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
>= 2.5.0 <= 2.5.2
Search vendor "Apache" for product "Cxf" and version " >= 2.5.0 <= 2.5.2"
-
Affected
Apache
Search vendor "Apache"
Wss4j
Search vendor "Apache" for product "Wss4j"
< 1.6.5
Search vendor "Apache" for product "Wss4j" and version " < 1.6.5"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Business Rules Management System
Search vendor "Redhat" for product "Jboss Business Rules Management System"
5.3
Search vendor "Redhat" for product "Jboss Business Rules Management System" and version "5.3"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
5.0.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.0"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform Text-only Advisories
Search vendor "Redhat" for product "Jboss Enterprise Application Platform Text-only Advisories"
--
Affected
Redhat
Search vendor "Redhat"
Jboss Enterprise Soa Platform
Search vendor "Redhat" for product "Jboss Enterprise Soa Platform"
4.2.0
Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.2.0"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Enterprise Soa Platform
Search vendor "Redhat" for product "Jboss Enterprise Soa Platform"
4.3.0
Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.3.0"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Enterprise Web Platform
Search vendor "Redhat" for product "Jboss Enterprise Web Platform"
5.0.0
Search vendor "Redhat" for product "Jboss Enterprise Web Platform" and version "5.0.0"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Middleware Text-only Advisories
Search vendor "Redhat" for product "Jboss Middleware Text-only Advisories"
--
Affected
Redhat
Search vendor "Redhat"
Jboss Portal
Search vendor "Redhat" for product "Jboss Portal"
4.0.0
Search vendor "Redhat" for product "Jboss Portal" and version "4.0.0"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Web Services
Search vendor "Redhat" for product "Jboss Web Services"
--
Affected