1 Reply Latest reply on Apr 17, 2014 7:11 AM by mmusaji

    How to apply the CVE-2011-1096 fix on JBoss 5.1.0 GA?

    spiderweb
    spiderweb Mar 14, 2014 10:08 AM

      I don't know if I've put this in the right section, but maybe a moderator can move it wherever it is appropriate.

       

      The Description in the Nessus scan report:

       

      The W3C XML Encryption Standard, implemented in JBossWS and used by one or more endpoints on the remote host, contains a design error. The design error allows unauthenticated, remote attackers to decrypt captured SOAP responses via a chosen-ciphertext attack. This issue affects all block ciphers used in cipher-block chaining (CBC) mode.

       

      Solution

      Upgrade the JBoss server to one of the patched versions listed in the vendor advisory, and enable galois/counter mode (GCM).

       

      See Also

      https://bugzilla.redhat.com/show_bug.cgi?id=681916

      https://access.redhat.com/security/cve/CVE-2011-1096

      http://dl.acm.org/citation.cfm?id=2046756

      http://cxf.apache.org/note-on-cve-2011-1096.html

       

      JBoss 5.1.0 GA is not in the list of patched versions, so is there a way to get this fix in JBoss 5.1.0 GA?