| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| CVE-2015-0227: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property |
| |
| Severity: Major |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache WSS4J prior to 1.6.17 and |
| 2.0.2. |
| |
| Description: |
| |
| Apache WSS4J has a "requireSignedEncryptedDataElements" boolean configuration |
| property, which if set enforces that EncryptedData elements are in a signed |
| subtree of the document. The default value of this property is "false". |
| However, it is possible to circumvent this setting by various types of |
| wrapping attacks. |
| |
| This has been fixed in revision: |
| |
| http://svn.apache.org/viewvc?view=revision&revision=1619359 |
| |
| Migration: |
| |
| WSS4J 1.6.x users should upgrade to 1.6.17 or later as soon as possible. |
| WSS4J 2.0.x users should upgrade to 2.0.2 or later as soon as possible. |
| |
| References: http://ws.apache.org/wss4j/security_advisories.html |
| |
| Acknowledgments: Dennis Kupser, Christian Mainka, Juraj Somorovsky (Ruhr |
| University Bochum) |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v1 |
| |
| iQEcBAEBAgAGBQJU2dzcAAoJEGe/gLEK1TmD+BgIALeCz42JQvRBMV2XF2W4/WdT |
| 7+ZSyJZM9vTOsy59FRDV2Njndsz+XL6CUbY2RtcEccir/rLHfE4pf/JLTVBZiYbr |
| J8eOhvXFOyJ0BR/tLrliCohofsSmQCU/XBU7aYF1I7tlaJjehubw4/8DuPGLZz+b |
| /og4t+2uSRujNf5Li8kxNGclx0hqpPFvEzMUGvq9+HPtPJaMLF3/b9+ns3VpfGP6 |
| ejq6kMNgiNiigoZCw3TXZ92hjuUsVSRdOQKtv0Lq0LVZ5+5HxMk5d9LZIpWjDP9L |
| Li3lsXE0AxGr4NlIJF56MdaxqM9OJGBL7UaIjV0woHl9i7DhxwrBUJxF4lkX8uA= |
| =gNWs |
| -----END PGP SIGNATURE----- |