製品・ソフトウェアに関する情報

JVN脆弱性詳細

JBoss Enterprise Portal Platform の JBossWS における平文データを取得される脆弱性

Title	JBoss Enterprise Portal Platform の JBossWS における平文データを取得される脆弱性
Summary	JBoss Enterprise Portal Platform およびその他の製品の JBoss Web Services (JBossWS) で使用される W3C XML 暗号化標準には、暗号ブロック連鎖 (CBC) モードでブロック暗号を使用する場合、平文データを取得される脆弱性が存在します。
Possible impacts	第三者により、SOAP レスポンスに対する選択暗号文攻撃 (chosen ciphertext attack) を介して、平文データを取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 8, 2012, midnight
Registration Date	Nov. 27, 2012, 8:03 p.m.
Last Update	Nov. 27, 2012, 8:03 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:P/I:N/A:N

Affected System

レッドハット

Red Hat JBoss Portal 5.2.2 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-1096	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1096
National Vulnerability Database (NVD)
2	CVE-2011-1096	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1096

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html

ベンダー情報

No	Name	URL
Apache CXF
1	Note on CVE-2011-1096	http://cxf.apache.org/note-on-cve-2011-1096.html
Red Hat Bugzilla
2	Bug 681916	https://bugzilla.redhat.com/show_bug.cgi?id=681916
Red Hat Security Advisory
3	RHSA-2012:1344	http://rhn.redhat.com/errata/RHSA-2012-1344.html

Change Log

No	Changed Details	Date of change
0	[2012年11月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2011-1096

Summary	The W3C XML Encryption Standard, as used in the JBoss Web Services (JBossWS) component in JBoss Enterprise Portal Platform before 5.2.2 and other products, when using block ciphers in cipher-block chaining (CBC) mode, allows remote attackers to obtain plaintext data via a chosen-ciphertext attack on SOAP responses, aka "character encoding pattern attack."
Publication Date	Nov. 24, 2012, 5:55 a.m.
Registration Date	Jan. 28, 2021, 4:38 p.m.
Last Update	Nov. 21, 2024, 10:25 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform::::::::		5.2.1
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.1:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://aktuell.ruhr-uni-bochum.de/pm2011/pm00330.html.de
2	http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html
3	http://cxf.apache.org/note-on-cve-2011-1096.html
4	http://dl.acm.org/citation.cfm?id=2046756&dl=ACM&coll=DL
5	http://rhn.redhat.com/errata/RHSA-2012-1301.html
6	http://rhn.redhat.com/errata/RHSA-2012-1330.html
7	http://rhn.redhat.com/errata/RHSA-2012-1344.html
8	http://rhn.redhat.com/errata/RHSA-2013-0191.html
9	http://rhn.redhat.com/errata/RHSA-2013-0192.html
10	http://rhn.redhat.com/errata/RHSA-2013-0193.html
11	http://rhn.redhat.com/errata/RHSA-2013-0194.html
12	http://rhn.redhat.com/errata/RHSA-2013-0195.html
13	http://rhn.redhat.com/errata/RHSA-2013-0196.html
14	http://rhn.redhat.com/errata/RHSA-2013-0197.html
15	http://rhn.redhat.com/errata/RHSA-2013-0198.html
16	http://rhn.redhat.com/errata/RHSA-2013-0221.html
17	http://rhn.redhat.com/errata/RHSA-2013-0261.html
18	http://rhn.redhat.com/errata/RHSA-2013-1437.html
19	http://secunia.com/advisories/51984
20	http://secunia.com/advisories/52054
21	http://www.csoonline.com/article/692366/widely-used-encryption-standard-is-insecure-say-experts
22	http://www.securityfocus.com/bid/55770
23	https://bugzilla.redhat.com/show_bug.cgi?id=681916
24	https://exchange.xforce.ibmcloud.com/vulnerabilities/79031
25	https://lists.apache.org/thread.html/8d5d29747548a24cccdb7f3e2d4d599ffb7ffe4537426b3c9a852cf4%40%3Ccommits.cxf.apache.org%3E
26	https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
27	https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
28	https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
29	https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
30	https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
31	https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
32	http://aktuell.ruhr-uni-bochum.de/pm2011/pm00330.html.de
33	https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
34	https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
35	https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
36	https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
37	https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
38	https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
39	https://lists.apache.org/thread.html/8d5d29747548a24cccdb7f3e2d4d599ffb7ffe4537426b3c9a852cf4%40%3Ccommits.cxf.apache.org%3E
40	https://exchange.xforce.ibmcloud.com/vulnerabilities/79031
41	https://bugzilla.redhat.com/show_bug.cgi?id=681916
42	http://www.securityfocus.com/bid/55770
43	http://www.csoonline.com/article/692366/widely-used-encryption-standard-is-insecure-say-experts
44	http://secunia.com/advisories/52054
45	http://secunia.com/advisories/51984
46	http://rhn.redhat.com/errata/RHSA-2013-1437.html
47	http://rhn.redhat.com/errata/RHSA-2013-0261.html
48	http://rhn.redhat.com/errata/RHSA-2013-0221.html
49	http://rhn.redhat.com/errata/RHSA-2013-0198.html
50	http://rhn.redhat.com/errata/RHSA-2013-0197.html
51	http://rhn.redhat.com/errata/RHSA-2013-0196.html
52	http://rhn.redhat.com/errata/RHSA-2013-0195.html
53	http://rhn.redhat.com/errata/RHSA-2013-0194.html
54	http://rhn.redhat.com/errata/RHSA-2013-0193.html
55	http://rhn.redhat.com/errata/RHSA-2013-0192.html
56	http://rhn.redhat.com/errata/RHSA-2013-0191.html
57	http://rhn.redhat.com/errata/RHSA-2012-1344.html
58	http://rhn.redhat.com/errata/RHSA-2012-1330.html
59	http://rhn.redhat.com/errata/RHSA-2012-1301.html
60	http://dl.acm.org/citation.cfm?id=2046756&dl=ACM&coll=DL
61	http://cxf.apache.org/note-on-cve-2011-1096.html
62	http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html

Common Vulnerabilities List