cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > Note on CVE-2011-2487
Date Tue, 11 Dec 2012 15:50:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Note+on+CVE-2011-2487">Note
on CVE-2011-2487</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br/>
Hash: SHA1</p>


<p>Another attack has emerged on the XML Encryption standard, as described by<br/>
the security advisory CVE-2011-2487:</p>

<p><a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2487" class="external-link"
rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2487</a></p>

<p>Tibor Jager, Sebastian Schinzel and Juraj Somorovsky have published a paper<br/>
that describes a number of attacks on the PKCS#1 v1.5 Key Transport Algorithm,<br/>
used to encrypt symmetric keys as part of WS-Security. One of these attacks<br/>
exploits the fact that WSS4J can leak information about where a particular<br/>
decryption operation fails. This bug has been fixed in WSS4J 1.6.5, where a <br/>
new symmetric key is generated if the decryption of the encrypted key fails. <br/>
In this way it is not possible for an attacker to find out whether a decryption<br/>
failure was due to the failure of decrypting the key or the data.</p>

<p>Migration:</p>

<p>Any version of CXF that uses Apache WSS4J 1.6.4 or below is vulnerable to this<br/>
attack. </p>

<p>CXF 2.5.2 users or below should upgrade to the latest version of CXF 2.5.x.<br/>
CXF 2.4.6 users or below should upgrade to the latest version of CXF 2.4.x.<br/>
CXF 2.6 and 2.7 are unaffected.</p>

<p>Additional Recommendation:</p>

<p>It is recommended that the use of the RSA v1.5 key transport algorithm be<br/>
discontinued. Instead the RSA-OAEP key transport algorithm should be used.<br/>
This algorithm is used by default from WSS4J 1.6.8 onwards. If you are using<br/>
WS-SecurityPolicy, then make sure not to use the AlgorithmSuite policies ending<br/>
in "Rsa15".</p>


<p>----<del>BEGIN PGP SIGNATURE</del>----<br/>
Version: GnuPG v1.4.11 (GNU/Linux)</p>

<p>iQEcBAEBAgAGBQJQx1VvAAoJEGe/gLEK1TmD3AMH/jMHnkHEeSvehv951SSJiAQZ<br/>
jjrjzAMrBXn9577diGitmnlD/GFOqwJZlLGmVZSzy0A+yrshv/BF/n2iosWvBygI<br/>
a41XYvaJC3KmAQUFn/iwVZO3Axv3IVRsIQ1qrseXMcpjO7zIIN7wac5TePxXUb5Q<br/>
XAGGDFetezalF2/CG3Ye0bLsa3GEQN803QssTA651jz5MR64alaEoHKGZjyPucFA<br/>
R/D7Nbr/WP3Q6hoYJlKT0Ca6rPZScLWhiOHUM5Qgn6fd2OlhDKAKc2r82twqjWh/<br/>
l+uGiEioYOIGg/67g0r/s8Ax66DTX61Bueg7/xpTeZE7C81//EO4ch1/2YsrUPg=<br/>
=y5J/<br/>
----<del>END PGP SIGNATURE</del>----</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/CXF/Note+on+CVE-2011-2487">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/CXF/Note+on+CVE-2011-2487?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message