A Java-based web service running on the remote host uses an unsafe encryption method.
The W3C XML Encryption Standard, implemented in JBossWS and used by one or more endpoints on the remote host, contains a design error. The design error allows unauthenticated, remote attackers to decrypt captured SOAP responses via a chosen-ciphertext attack. This issue affects all block ciphers used in cipher-block chaining (CBC) mode.
Upgrade the JBoss server to one of the patched versions listed in the vendor advisory, and enable galois/counter mode (GCM).