Security Advisories

The following security advisories have been issued for Apache WSS4J:

  • 2015
    • CVE-2015-0226 - Apache WSS4J is (still) vulnerable to Bleichenbacher's attack.
    • CVE-2015-0227 - Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property

As Apache WSS4J is a library that provides WS-Security functionality to web service stacks such as Apache CXF and Apache Axis, security issues associated with WS-Security tend to be reported to these downstream projects. Therefore the best way to keep an eye on security issues involving WSS4J is to look at the security advisories pages of these projects.

The security advisory page for Apache CXF is here. In particular, the following security advisories are relevant to users of WSS4J: