Security Advisories

For information on how to report a new security problem please see here.

The following security advisories have been issued for Apache WSS4J™:

• 2015
• CVE-2015-0226 - Apache WSS4J is (still) vulnerable to Bleichenbacher's attack.
• CVE-2015-0227 - Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property

As Apache WSS4J is a library that provides WS-Security functionality to web service stacks such as Apache CXF and Apache Axis, security issues associated with WS-Security tend to be reported to these downstream projects. Therefore the best way to keep an eye on security issues involving WSS4J is to look at the security advisories pages of these projects.

The security advisory page for Apache CXF is here. In particular, the following security advisories are relevant to users of WSS4J:

• Note on CVE-2012-5575 - XML Encryption backwards compatibility attack on Apache CXF.
• Note on CVE-2011-2487 - Bleichenbacher attack against distributed symmetric key in WS-Security.
• Note on CVE-2011-1096 - XML Encryption flaw / Character pattern encoding attack.