CVE-2015-0226 — Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J

Description

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

How to fix CVE-2015-0226

To remediate CVE-2015-0226, upgrade the affected package to a fixed version below.

—upgrade to 1.6.15-2 or later
—upgrade to 2.0.2 or later
—upgrade to 1.6.17 or later

Is CVE-2015-0226 being exploited?

Moderate — EPSS is 5.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 1.6.15-2
>= 2.0.0, < 2.0.2
from 0, < 1.6.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (16)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-0226
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-0226
PATCHgithub.com/apache/ws-wss4j
WEBrhn.redhat.com/errata/RHSA-2015-0846.html
WEBrhn.redhat.com