NVD Vulnerability Detail

CVE-2015-0226

Summary	Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
Publication Date	Oct. 30, 2017, 11:29 p.m.
Registration Date	Jan. 26, 2021, 2:43 p.m.
Last Update	Nov. 21, 2024, 11:22 a.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://rhn.redhat.com/errata/RHSA-2015-0846.html
2	http://rhn.redhat.com/errata/RHSA-2015-0846.html
3	http://rhn.redhat.com/errata/RHSA-2015-0847.html
4	http://rhn.redhat.com/errata/RHSA-2015-0847.html
5	http://rhn.redhat.com/errata/RHSA-2015-0848.html
6	http://rhn.redhat.com/errata/RHSA-2015-0848.html
7	http://rhn.redhat.com/errata/RHSA-2015-0849.html
8	http://rhn.redhat.com/errata/RHSA-2015-0849.html
9	http://rhn.redhat.com/errata/RHSA-2015-1176.html
10	http://rhn.redhat.com/errata/RHSA-2015-1176.html
11	http://rhn.redhat.com/errata/RHSA-2015-1177.html
12	http://rhn.redhat.com/errata/RHSA-2015-1177.html
13	http://www.securityfocus.com/bid/72553	Third Party Advisory VDB Entry
14	http://www.securityfocus.com/bid/72553	Third Party Advisory VDB Entry
15	https://access.redhat.com/errata/RHSA-2016:1376
16	https://access.redhat.com/errata/RHSA-2016:1376
17	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03900en_us
18	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03900en_us
19	https://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc	Issue Tracking Vendor Advisory
20	https://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc	Issue Tracking Vendor Advisory
21	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
22	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-327	不完全、または危険な暗号アルゴリズムの使用	https://cwe.mitre.org/data/definitions/327.html

JVN Vulnerability Information

Apache WSS4J における暗号アルゴリズムの使用に関する脆弱性

Title	Apache WSS4J における暗号アルゴリズムの使用に関する脆弱性
Summary	Apache WSS4J には、暗号アルゴリズムの使用に関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 10, 2015, midnight
Registration Date	Nov. 24, 2017, 5:58 p.m.
Last Update	Nov. 24, 2017, 5:58 p.m.

Affected System

Apache Software Foundation

Apache WSS4J 1.6.17 未満

Apache WSS4J 2.0.2 未満の 2.0.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Apache
1	CVE-2015-0226: Apache WSS4J is (still) vulnerable to Bleichenbacher's attack	https://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc
Common Vulnerabilities and Exposures (CVE)
2	CVE-2015-0226	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0226
National Vulnerability Database (NVD)
3	CVE-2015-0226	https://nvd.nist.gov/vuln/detail/CVE-2015-0226

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-327	https://cwe.mitre.org/data/definitions/327.html

その他

No	Name	URL
関連文書
1	Apache WSS4J CVE-2015-0226 Information Disclosure Vulnerability	http://www.securityfocus.com/bid/72553

Change Log

No	Changed Details	Date of change
0	[2017年11月24日] 掲載	Feb. 17, 2018, 10:37 a.m.