I don't know if I've put this in the right section, but maybe a moderator can move it wherever it is appropriate.
The Description in the Nessus scan report:
The W3C XML Encryption Standard, implemented in JBossWS and used by one or more endpoints on the remote host, contains a design error. The design error allows unauthenticated, remote attackers to decrypt captured SOAP responses via a chosen-ciphertext attack. This issue affects all block ciphers used in cipher-block chaining (CBC) mode.
Solution
Upgrade the JBoss server to one of the patched versions listed in the vendor advisory, and enable galois/counter mode (GCM).
See Also
https://bugzilla.redhat.com/show_bug.cgi?id=681916
https://access.redhat.com/security/cve/CVE-2011-1096
http://dl.acm.org/citation.cfm?id=2046756
http://cxf.apache.org/note-on-cve-2011-1096.html
JBoss 5.1.0 GA is not in the list of patched versions, so is there a way to get this fix in JBoss 5.1.0 GA?
If you have a support subscription with Red Hat please raise a support case. This is fixed in EAP 5.2.0 and a patch released for EAP 5.1.2.