CVE-2011-2487

Current Description

The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.

Referenced by CVEs:CVE-2015-0226

Basic Data

PublishedMarch 11, 2020
Last ModifiedMarch 19, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-327
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationApacheCxf********2.4.02.4.6
    2.3ApplicationApacheCxf********2.5.02.5.2
    2.3ApplicationApacheWss4j********1.6.5
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatJboss Business Rules Management System5.3*******
    2.3ApplicationRedhatJboss Enterprise Application Platform5.0.0*******
    2.3ApplicationRedhatJboss Enterprise Application Platform Text-only Advisories-*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.2.0*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.3.0*******
    2.3ApplicationRedhatJboss Enterprise Web Platform5.0.0*******
    2.3ApplicationRedhatJboss Middleware Text-only Advisories-*******
    2.3ApplicationRedhatJboss Portal4.0.0*******
    2.3ApplicationRedhatJboss Web Services-*******

Vulnerable Software List

VendorProductVersions
Apache Cxf *
Apache Wss4j *
Redhat Jboss Enterprise Application Platform 5.0.0
Redhat Jboss Business Rules Management System 5.3
Redhat Jboss Enterprise Application Platform Text-only Advisories -
Redhat Jboss Enterprise Web Platform 5.0.0
Redhat Jboss Middleware Text-only Advisories -
Redhat Jboss Portal 4.0.0
Redhat Jboss Enterprise Soa Platform 4.2.0, 4.3.0
Redhat Jboss Web Services -

References

NameSourceURLTags
http://cxf.apache.org/note-on-cve-2011-2487.htmlhttp://cxf.apache.org/note-on-cve-2011-2487.htmlMISCVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0191.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0191.htmlMISCPatch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0192.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0192.htmlMISCPatch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0193.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0193.htmlMISCBroken Link Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0194.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0194.htmlMISCPatch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0195.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0195.htmlMISCPatch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0196.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0196.htmlMISCPatch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0198.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0198.htmlMISCPatch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0221.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0221.htmlMISCPatch Vendor Advisory
http://www.securityfocus.com/bid/57549http://www.securityfocus.com/bid/57549MISCThird Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=713539https://bugzilla.redhat.com/show_bug.cgi?id=713539MISCIssue Tracking Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/81737https://exchange.xforce.ibmcloud.com/vulnerabilities/81737MISCVDB Entry Vendor Advisory
[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.htmlhttps://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3CcoMLIST
[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.htmlhttps://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3CcoMLIST
https://www.nds.ruhr-uni-bochum.de/research/publications/breaking-xml-encryption-pkcs15/https://www.nds.ruhr-uni-bochum.de/research/publications/breaking-xml-encryption-pkcs15/MISCTechnical Description Third Party Advisory