CVE-2011-2487 — MEDIUM (5.9)

Q: What is CVE-2011-2487?

CVE-2011-2487 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.

Q: How severe is CVE-2011-2487?

CVE-2011-2487 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2011-2487?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Cxf, Apache Wss4J, Redhat Jboss Business Rules Management System, Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Application Platform Text-Only Advisories.

Vulnerability Description

The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Cxf	>= 2.4.0, <= 2.4.6
Apache	Wss4J	< 1.6.5
Redhat	Jboss Business Rules Management System	5.3
Redhat	Jboss Enterprise Application Platform	5.0.0
Redhat	Jboss Enterprise Application Platform Text-Only Advisories	-
Redhat	Jboss Enterprise Soa Platform	4.2.0
Redhat	Jboss Enterprise Web Platform	5.0.0
Redhat	Jboss Middleware Text-Only Advisories	-
Redhat	Jboss Portal	4.0.0
Redhat	Jboss Web Services	-

Related Weaknesses (CWE)

CWE-327

References

http://cxf.apache.org/note-on-cve-2011-2487.htmlVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0191.htmlPatchVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0192.htmlPatchVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0193.htmlBroken LinkPatchVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0194.htmlPatchVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0195.htmlPatchVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0196.htmlPatchVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0198.htmlPatchVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0221.htmlPatchVendor Advisory
http://www.securityfocus.com/bid/57549Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=713539Issue TrackingPatchVendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/81737VDB EntryVendor Advisory
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de10
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fd
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba7

FAQ

What is CVE-2011-2487?

CVE-2011-2487 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.

How severe is CVE-2011-2487?

CVE-2011-2487 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2011-2487?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Cxf, Apache Wss4J, Redhat Jboss Business Rules Management System, Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Application Platform Text-Only Advisories.