CVE-2011-2487

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2011-2487
The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
http://cxf.apache.org/note-on-cve-2011-2487.html Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0191.html Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0192.html Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0193.html Broken Link Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0194.html Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0195.html Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0196.html Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0198.html Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0221.html Patch Vendor Advisory
http://www.securityfocus.com/bid/57549 Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=713539 Issue Tracking Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/81737 VDB Entry Vendor Advisory
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
https://www.nds.ruhr-uni-bochum.de/research/publications/breaking-xml-encryption-pkcs15/ Technical Description Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:wss4j:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:jboss_business_rules_management_system:5.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_text-only_advisories:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_portal:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_web_services:-:*:*:*:*:*:*:*
History

13 Feb 2023, 01:19

Type Values Removed Values Added
Summary A flaw was found in JBoss web services where the services used a weak symmetric encryption protocol, PKCS#1 v1.5. An attacker could use this weakness in chosen-ciphertext attacks to recover the symmetric key and conduct further attacks. The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2011-2487', 'name': 'https://access.redhat.com/security/cve/CVE-2011-2487', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0533', 'name': 'https://access.redhat.com/errata/RHSA-2013:0533', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0196', 'name': 'https://access.redhat.com/errata/RHSA-2013:0196', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0194', 'name': 'https://access.redhat.com/errata/RHSA-2013:0194', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0197', 'name': 'https://access.redhat.com/errata/RHSA-2013:0197', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0192', 'name': 'https://access.redhat.com/errata/RHSA-2013:0192', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0191', 'name': 'https://access.redhat.com/errata/RHSA-2013:0191', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0953', 'name': 'https://access.redhat.com/errata/RHSA-2013:0953', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0221', 'name': 'https://access.redhat.com/errata/RHSA-2013:0221', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0193', 'name': 'https://access.redhat.com/errata/RHSA-2013:0193', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0198', 'name': 'https://access.redhat.com/errata/RHSA-2013:0198', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0195', 'name': 'https://access.redhat.com/errata/RHSA-2013:0195', 'tags': [], 'refsource': 'MISC'}

02 Feb 2023, 14:16

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E', 'name': '[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E', 'name': '[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E', 'name': '[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E', 'name': '[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E', 'name': '[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html', 'tags': [], 'refsource': 'MLIST'}
  • (MISC) https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E -
  • (MISC) https://access.redhat.com/security/cve/CVE-2011-2487 -
  • (MISC) https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0191 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0533 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0196 -
  • (MISC) https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E -
  • (MISC) https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E -
  • (MISC) https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0194 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0197 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0192 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0221 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0953 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0193 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0198 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0195 -
Summary The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack. A flaw was found in JBoss web services where the services used a weak symmetric encryption protocol, PKCS#1 v1.5. An attacker could use this weakness in chosen-ciphertext attacks to recover the symmetric key and conduct further attacks.

16 Jun 2021, 12:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E -

02 Apr 2021, 12:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E -
Information

Published : 2020-03-11 16:15

Updated : 2023-12-10 13:13

NVD link : CVE-2011-2487

Mitre link : CVE-2011-2487

CVE.ORG link : CVE-2011-2487

JSON object : View

Products Affected

redhat

  • jboss_enterprise_web_platform
  • jboss_portal
  • jboss_enterprise_soa_platform
  • jboss_business_rules_management_system
  • jboss_enterprise_application_platform
  • jboss_enterprise_application_platform_text-only_advisories
  • jboss_middleware_text-only_advisories
  • jboss_web_services

apache

  • wss4j
  • cxf
CWE
CWE-327

Use of a Broken or Risky Cryptographic Algorithm