CVE-2015-0226

Severity

7.5

Description

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Workaround :
> On affected products, this flaw can be mitigated by using the RSA-OAEP key wrap algorithm, instead of the default RSA-v1.5 algorithm. To use RSA-OAEP, edit the jboss-ws-security configuration file and add the property keyWrapAlgorithm="rsa_oaep" to the encrypt element.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2487

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0226

https://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc

https://access.redhat.com/security/cve/cve-2015-0226

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2487

https://wso2.org/jira/browse/IDENTITY-3092

Project

Category

n/a

Tags

data

configuration

Date Disclosed

2017-10-30

Date Discovered

2014-11-18

Apache TomEE 1.7.x

First release:

2014-08-09

CVEs:

95

Support Lifecycle:

Namespace:

javax

1.7.0 1.7.1 1.7.2 1.7.3 1.7.4

Apache TomEE 1.6.x

First release:

2013-11-17

CVEs:

108

Support Lifecycle:

Namespace:

javax

1.6.0 1.6.0.1 1.6.0.2

Apache TomEE 1.5.x

First release:

2012-09-28

CVEs:

119

Support Lifecycle:

Namespace:

javax

1.5.0 1.5.1 1.5.2

Apache TomEE 1.0.x

First release:

2012-04-27

CVEs:

130

Support Lifecycle:

Namespace:

javax

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.