1 Reply Latest reply on Apr 17, 2014 7:11 AM by mmusaji

    How to apply the CVE-2011-1096 fix on JBoss 5.1.0 GA?


      I don't know if I've put this in the right section, but maybe a moderator can move it wherever it is appropriate.


      The Description in the Nessus scan report:


      The W3C XML Encryption Standard, implemented in JBossWS and used by one or more endpoints on the remote host, contains a design error. The design error allows unauthenticated, remote attackers to decrypt captured SOAP responses via a chosen-ciphertext attack. This issue affects all block ciphers used in cipher-block chaining (CBC) mode.



      Upgrade the JBoss server to one of the patched versions listed in the vendor advisory, and enable galois/counter mode (GCM).


      See Also






      JBoss 5.1.0 GA is not in the list of patched versions, so is there a way to get this fix in JBoss 5.1.0 GA?