Tuesday, February 10, 2015

Two new security advisories released for Apache WSS4J

Two new security advisories have been released for Apache WSS4J, both of which were fixed in Apache WSS4J 2.0.2 and 1.6.17.
  • CVE-2015-0226: Apache WSS4J is (still) vulnerable to Bleichenbacher's attack
  • CVE-2015-0227: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
Please see the Apache WSS4J security advisories page for more information.


  1. what is the impact of 0227? how do i ensure i am using requireSignedEncryptedDataElements or not?
    i am using wss4j 1.6.4

    1. "requireSignedEncryptedDataElements" is set to false by default, so unless you are configuring it, it doesn't affect you. See: http://ws.apache.org/wss4j/config.html

      WSS4J 1.6.4 is quite old and has multiple security advisories, I recommend upgrading.