CVE-2015-0227

Description

Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."

How to fix CVE-2015-0227

To remediate CVE-2015-0227, upgrade the affected package to a fixed version below.

• Debian/wss4j—upgrade to 1.6.15-2 or later
• Maven/org.apache.ws.security:wss4j—upgrade to 1.6.17 or later
• Maven/wss4j:wss4j—upgrade to 1.6.17 or later

Is CVE-2015-0227 being exploited?

Moderate — EPSS is 13.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

• from 0, < 1.6.15-2
• from 0, < 1.6.17
• from 0, < 1.6.17

References (13)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-0227
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-0227
• WEBrhn.redhat.com/errata/RHSA-2015-0773.html
• WEBrhn.redhat.com/errata/RHSA-2015-0846.html
• WEB