src/site/resources/advisories/CVE-2015-0227.txt.asc - ws-wss4j - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 CVE-2015-0227: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property

 Severity: Major

 Vendor: The Apache Software Foundation

 Versions Affected:

 This vulnerability affects all versions of Apache WSS4J prior to 1.6.17 and
 2.0.2.

 Description:

 Apache WSS4J has a "requireSignedEncryptedDataElements" boolean configuration
 property, which if set enforces that EncryptedData elements are in a signed
 subtree of the document. The default value of this property is "false".
 However, it is possible to circumvent this setting by various types of
 wrapping attacks.

 This has been fixed in revision:

 http://svn.apache.org/viewvc?view=revision&revision=1619359

 Migration:

 WSS4J 1.6.x users should upgrade to 1.6.17 or later as soon as possible.
 WSS4J 2.0.x users should upgrade to 2.0.2 or later as soon as possible.

 References: http://ws.apache.org/wss4j/security_advisories.html

 Acknowledgments: Dennis Kupser, Christian Mainka, Juraj Somorovsky (Ruhr
 University Bochum)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1

 iQEcBAEBAgAGBQJU2dzcAAoJEGe/gLEK1TmD+BgIALeCz42JQvRBMV2XF2W4/WdT
 7+ZSyJZM9vTOsy59FRDV2Njndsz+XL6CUbY2RtcEccir/rLHfE4pf/JLTVBZiYbr
 J8eOhvXFOyJ0BR/tLrliCohofsSmQCU/XBU7aYF1I7tlaJjehubw4/8DuPGLZz+b
 /og4t+2uSRujNf5Li8kxNGclx0hqpPFvEzMUGvq9+HPtPJaMLF3/b9+ns3VpfGP6
 ejq6kMNgiNiigoZCw3TXZ92hjuUsVSRdOQKtv0Lq0LVZ5+5HxMk5d9LZIpWjDP9L
 Li3lsXE0AxGr4NlIJF56MdaxqM9OJGBL7UaIjV0woHl9i7DhxwrBUJxF4lkX8uA=
 =gNWs
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA1

	CVE-2015-0227: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property

	Severity: Major

	Vendor: The Apache Software Foundation

	Versions Affected:

	This vulnerability affects all versions of Apache WSS4J prior to 1.6.17 and
	2.0.2.

	Description:

	Apache WSS4J has a "requireSignedEncryptedDataElements" boolean configuration
	property, which if set enforces that EncryptedData elements are in a signed
	subtree of the document. The default value of this property is "false".
	However, it is possible to circumvent this setting by various types of
	wrapping attacks.

	This has been fixed in revision:

	http://svn.apache.org/viewvc?view=revision&revision=1619359

	Migration:

	WSS4J 1.6.x users should upgrade to 1.6.17 or later as soon as possible.
	WSS4J 2.0.x users should upgrade to 2.0.2 or later as soon as possible.

	References: http://ws.apache.org/wss4j/security_advisories.html

	Acknowledgments: Dennis Kupser, Christian Mainka, Juraj Somorovsky (Ruhr
	University Bochum)
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG v1

	iQEcBAEBAgAGBQJU2dzcAAoJEGe/gLEK1TmD+BgIALeCz42JQvRBMV2XF2W4/WdT
	7+ZSyJZM9vTOsy59FRDV2Njndsz+XL6CUbY2RtcEccir/rLHfE4pf/JLTVBZiYbr
	J8eOhvXFOyJ0BR/tLrliCohofsSmQCU/XBU7aYF1I7tlaJjehubw4/8DuPGLZz+b
	/og4t+2uSRujNf5Li8kxNGclx0hqpPFvEzMUGvq9+HPtPJaMLF3/b9+ns3VpfGP6
	ejq6kMNgiNiigoZCw3TXZ92hjuUsVSRdOQKtv0Lq0LVZ5+5HxMk5d9LZIpWjDP9L
	Li3lsXE0AxGr4NlIJF56MdaxqM9OJGBL7UaIjV0woHl9i7DhxwrBUJxF4lkX8uA=
	=gNWs
	-----END PGP SIGNATURE-----