CVE-2011-2487

CWE-327 — Broken Cryptographic Algorithm10 documents6 sources

Severity

5.9MEDIUM

EPSS

0.5%

top 34.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Wss4j Apache CXF RED HAT Jbossws +5 more

Timeline

PublishedMar 11

Latest updateMay 14

Description

The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages10 packages

▶NVDapache/wss4j< 1.6.5

▶Mavenorg.apache.ws.security:wss4j< 1.6.5

▶CVEListV5apache/wss4jbefore 1.6.5

▶NVDapache/cxf2.4.0 — 2.4.6+1

▶CVEListV5red_hat/jbosswsunknown

Patches

Patch: rhn.redhat.com ↗Patch: rhn.redhat.com ↗Patch: rhn.redhat.com ↗

🔴Vulnerability Details

GHSA

Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J↗2022-05-14

▶

OSV

Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J↗2022-04-22

▶

GHSA

Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J↗2022-04-22

▶

CVEList

CVE-2011-2487: The implementations of PKCS#1 v1↗2020-03-11

▶

📋Vendor Advisories

Red Hat

wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)↗2015-02-10

▶

Red Hat

jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key↗2012-09-04

▶

💬Community

Bugzilla

CVE-2015-0226 wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)↗2015-02-11

▶

Bugzilla

CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key↗2011-06-15

▶