Two new security advisories have been released for Apache WSS4J, both of which were fixed in Apache WSS4J 2.0.2 and 1.6.17.
- CVE-2015-0226: Apache WSS4J is (still) vulnerable to Bleichenbacher's attack
- CVE-2015-0227: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
what is the impact of 0227? how do i ensure i am using requireSignedEncryptedDataElements or not?ReplyDelete
i am using wss4j 1.6.4
"requireSignedEncryptedDataElements" is set to false by default, so unless you are configuring it, it doesn't affect you. See: http://ws.apache.org/wss4j/config.htmlDelete
WSS4J 1.6.4 is quite old and has multiple security advisories, I recommend upgrading.