Severity
High
Analysis Summary
Apache WSS4J 1.6.5 contained a countermeasure for Bleichenbacher’s attack on XML Encryption, where the PKCS#1 v1.5 Key Transport Algorithm is used to encrypt symmetric keys as part of WS-Security. In particular, the fix avoided leaking information on whether decryption failed when decrypting the encrypted key or decrypting the message data.
Impact
Information disclosure
Affected Vendors
Apache
Affected Products
Apache WSS4J all versions prior to 1.6.17 and 2.0.2.
Remediation
Update to a fixed version
WSS4J 1.6.x : Should upgrade to 1.6.17 or later
WSS4J 2.0.x : Should upgrade to 2.0.2 or later