-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2015-0227: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache WSS4J prior to 1.6.17 and
2.0.2.

Description:

Apache WSS4J has a "requireSignedEncryptedDataElements" boolean configuration
property, which if set enforces that EncryptedData elements are in a signed
subtree of the document. The default value of this property is "false". 
However, it is possible to circumvent this setting by various types of
wrapping attacks.

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1619359

Migration:

WSS4J 1.6.x users should upgrade to 1.6.17 or later as soon as possible.
WSS4J 2.0.x users should upgrade to 2.0.2 or later as soon as possible.

References: http://ws.apache.org/wss4j/security_advisories.html

Acknowledgments: Dennis Kupser, Christian Mainka, Juraj Somorovsky (Ruhr
University Bochum)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJU2dzcAAoJEGe/gLEK1TmD+BgIALeCz42JQvRBMV2XF2W4/WdT
7+ZSyJZM9vTOsy59FRDV2Njndsz+XL6CUbY2RtcEccir/rLHfE4pf/JLTVBZiYbr
J8eOhvXFOyJ0BR/tLrliCohofsSmQCU/XBU7aYF1I7tlaJjehubw4/8DuPGLZz+b
/og4t+2uSRujNf5Li8kxNGclx0hqpPFvEzMUGvq9+HPtPJaMLF3/b9+ns3VpfGP6
ejq6kMNgiNiigoZCw3TXZ92hjuUsVSRdOQKtv0Lq0LVZ5+5HxMk5d9LZIpWjDP9L
Li3lsXE0AxGr4NlIJF56MdaxqM9OJGBL7UaIjV0woHl9i7DhxwrBUJxF4lkX8uA=
=gNWs
-----END PGP SIGNATURE-----