You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/02/10 12:05:23 UTC

svn commit: r1658674 - in /webservices/wss4j/trunk/src/site: resources/ resources/advisories/ resources/advisories/CVE-2015-0226.txt.asc resources/advisories/CVE-2015-0227.txt.asc xdoc/index.xml xdoc/security_advisories.xml

Author: coheigea
Date: Tue Feb 10 11:05:22 2015
New Revision: 1658674

URL: http://svn.apache.org/r1658674
Log:
Updating website

Added:
    webservices/wss4j/trunk/src/site/resources/
    webservices/wss4j/trunk/src/site/resources/advisories/
    webservices/wss4j/trunk/src/site/resources/advisories/CVE-2015-0226.txt.asc
    webservices/wss4j/trunk/src/site/resources/advisories/CVE-2015-0227.txt.asc
Modified:
    webservices/wss4j/trunk/src/site/xdoc/index.xml
    webservices/wss4j/trunk/src/site/xdoc/security_advisories.xml

Added: webservices/wss4j/trunk/src/site/resources/advisories/CVE-2015-0226.txt.asc
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/site/resources/advisories/CVE-2015-0226.txt.asc?rev=1658674&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/site/resources/advisories/CVE-2015-0226.txt.asc (added)
+++ webservices/wss4j/trunk/src/site/resources/advisories/CVE-2015-0226.txt.asc Tue Feb 10 11:05:22 2015
@@ -0,0 +1,54 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2015-0226: Apache WSS4J is (still) vulnerable to Bleichenbacher's attack
+
+Severity: Major
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache WSS4J prior to 1.6.17 and
+2.0.2.
+
+Description:
+
+Apache WSS4J 1.6.5 contained a countermeasure for Bleichenbacher's attack on
+XML Encryption, where the PKCS#1 v1.5 Key Transport Algorithm is used to
+encrypt symmetric keys as part of WS-Security. In particular, the fix avoided
+leaking information on whether decryption failed when decrypting the encrypted
+key or decrypting the message data.
+
+However, it is still possible to craft a message such that an attacker can tell 
+where the decryption failure took place, and hence WSS4J is vulnerable to the
+original attack. 
+
+See here for more information on the original fix for WSS4J 1.6.5:
+
+http://cxf.apache.org/note-on-cve-2011-2487.html
+
+This has been fixed in revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1621329
+
+Migration:
+
+WSS4J 1.6.x users should upgrade to 1.6.17 or later as soon as possible.
+WSS4J 2.0.x users should upgrade to 2.0.2 or later as soon as possible.
+
+References: http://ws.apache.org/wss4j/security_advisories.html
+
+Acknowledgments: Dennis Kupser, Christian Mainka, Juraj Somorovsky (Ruhr
+University Bochum)
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAEBAgAGBQJU2dzUAAoJEGe/gLEK1TmD9g0H/iARiT79KnfLBwRCJqRNGS7u
+OvN/ZuqhtFMSqeS6l0AiY0uvTTvLuJOyNbEk+guU9K0IqwyBPpM/jQXILGyvBDx4
+MzlGn/ot26Dwcdw1v58KJuAxKh287Ht1FBEgL2fpT2/PJZWRptFVsXWPmfJdipcn
+SKlXkfZS9amgbh6CtZisW5iLrsDfbNK6rd40ZYr7lkB/bFMuCYi+bxKTgZE+/PS/
+BvTv2qYtpvFxLWhakXKE4ycLLR4SMh57MXkFecyQXh4ArhiDYOceVWS+VtzTVumm
+vZnLhwlCXEkgAJJcaq80OM+/bSbw/v+8kplsEcRLW21eW1i/Gg14TCsp+2T8x7o=
+=Qhzt
+-----END PGP SIGNATURE-----

Added: webservices/wss4j/trunk/src/site/resources/advisories/CVE-2015-0227.txt.asc
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/site/resources/advisories/CVE-2015-0227.txt.asc?rev=1658674&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/site/resources/advisories/CVE-2015-0227.txt.asc (added)
+++ webservices/wss4j/trunk/src/site/resources/advisories/CVE-2015-0227.txt.asc Tue Feb 10 11:05:22 2015
@@ -0,0 +1,46 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2015-0227: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
+
+Severity: Major
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache WSS4J prior to 1.6.17 and
+2.0.2.
+
+Description:
+
+Apache WSS4J has a "requireSignedEncryptedDataElements" boolean configuration
+property, which if set enforces that EncryptedData elements are in a signed
+subtree of the document. The default value of this property is "false". 
+However, it is possible to circumvent this setting by various types of
+wrapping attacks.
+
+This has been fixed in revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1619359
+
+Migration:
+
+WSS4J 1.6.x users should upgrade to 1.6.17 or later as soon as possible.
+WSS4J 2.0.x users should upgrade to 2.0.2 or later as soon as possible.
+
+References: http://ws.apache.org/wss4j/security_advisories.html
+
+Acknowledgments: Dennis Kupser, Christian Mainka, Juraj Somorovsky (Ruhr
+University Bochum)
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAEBAgAGBQJU2dzcAAoJEGe/gLEK1TmD+BgIALeCz42JQvRBMV2XF2W4/WdT
+7+ZSyJZM9vTOsy59FRDV2Njndsz+XL6CUbY2RtcEccir/rLHfE4pf/JLTVBZiYbr
+J8eOhvXFOyJ0BR/tLrliCohofsSmQCU/XBU7aYF1I7tlaJjehubw4/8DuPGLZz+b
+/og4t+2uSRujNf5Li8kxNGclx0hqpPFvEzMUGvq9+HPtPJaMLF3/b9+ns3VpfGP6
+ejq6kMNgiNiigoZCw3TXZ92hjuUsVSRdOQKtv0Lq0LVZ5+5HxMk5d9LZIpWjDP9L
+Li3lsXE0AxGr4NlIJF56MdaxqM9OJGBL7UaIjV0woHl9i7DhxwrBUJxF4lkX8uA=
+=gNWs
+-----END PGP SIGNATURE-----

Modified: webservices/wss4j/trunk/src/site/xdoc/index.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/site/xdoc/index.xml?rev=1658674&r1=1658673&r2=1658674&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/site/xdoc/index.xml (original)
+++ webservices/wss4j/trunk/src/site/xdoc/index.xml Tue Feb 10 11:05:22 2015
@@ -62,6 +62,14 @@ The Apache WSS4J team are pleased to ann
 Please see the <a href="https://issues.apache.org/jira/browse/WSS/fixforversion/12328782">
 release notes</a> for more information.
 </p>
+<p><b>February 2015</b> - 
+Two new security advisories have been issued for Apache WSS4J, both of which
+are fixed in 1.6.17 and 2.0.2.
+</p>
+<p>
+Please see the <a href="security_advisories.html">the security advisories</a>
+page for more information.
+</p>
 </li>
 </ul>
 </subsection>

Modified: webservices/wss4j/trunk/src/site/xdoc/security_advisories.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/site/xdoc/security_advisories.xml?rev=1658674&r1=1658673&r2=1658674&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/site/xdoc/security_advisories.xml (original)
+++ webservices/wss4j/trunk/src/site/xdoc/security_advisories.xml Tue Feb 10 11:05:22 2015
@@ -3,6 +3,19 @@
 <body>
 <section name="Security Advisories">
 <p>
+The following security advisories have been issued for Apache WSS4J:
+<ul>
+<li><b>2015</b></li>
+<ul>
+<li><a href="advisories/CVE-2015-0226.txt.asc">CVE-2015-0226</a> - Apache
+WSS4J is (still) vulnerable to Bleichenbacher's attack.</li>
+<li><a href="advisories/CVE-2015-0227.txt.asc">CVE-2015-0227</a> - Apache
+WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements
+property</li>
+</ul>
+</ul>
+</p>
+<p>
 As Apache WSS4J is a library that provides WS-Security functionality to web
 service stacks such as Apache CXF and Apache Axis, security issues associated
 with WS-Security tend to be reported to these downstream projects. Therefore