Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2015-0226

Опубликовано: 10 фев. 2015
Источник: redhat
CVSS2: 7.8
EPSS Низкий

Описание

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

It was found that a prior countermeasure in Apache WSS4J for Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an exception that permitted an attacker to determine the failure of the attempted attack, thereby leaving WSS4J vulnerable to the attack. The original flaw allowed a remote attacker to recover the entire plain text form of a symmetric key.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss BRMS 5wss4jAffected
Red Hat JBoss BRMS 6wss4jAffected
Red Hat JBoss Data Virtualization 6wss4jAffected
Red Hat JBoss Enterprise Web Server 1fuse-6Affected
Red Hat JBoss Enterprise Web Server 1fuse-esb-7Affected
Red Hat JBoss Fuse Service Works 6wss4jAffected
Red Hat JBoss Operations Network 2wss4jNot affected
Red Hat JBoss Operations Network 3wss4jAffected
Red Hat JBoss Portal 6wss4jAffected
Red Hat JBoss SOA Platform 4wss4jNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-327
https://bugzilla.redhat.com/show_bug.cgi?id=1191446wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)

EPSS

Процентиль: 90%
0.0521
Низкий

7.8 High

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2015-0226

CVSS3: 7.5
ubuntu
больше 8 лет назад

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

nvd логотип

CVE-2015-0226

CVSS3: 7.5
nvd
больше 8 лет назад

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

debian логотип

CVE-2015-0226

CVSS3: 7.5
debian
больше 8 лет назад

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks inf ...

github логотип

GHSA-vjwc-5hfh-2vv5

CVSS3: 7.5
github
больше 3 лет назад

Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J

EPSS

Процентиль: 90%
0.0521
Низкий

7.8 High

CVSS2

Уязвимость CVE-2015-0226