Apache WSS4J is prone to an information-disclosure vulnerability.
Successfully exploiting this issue can allow an attacker to obtain sensitive information that may aid in launching further attacks.
Information
Redhat JBoss Enterprise Application Platform 6.3
Redhat JBoss A-MQ 6.1.0
Oracle PeopleSoft Enterprise PeopleTools 8.57
Oracle PeopleSoft Enterprise PeopleTools 8.56
Oracle PeopleSoft Enterprise PeopleTools 8.55
IBM WebSphere Application Server Liberty Profile 8.5.5.5
IBM WebSphere Application Server Liberty Profile 8.5.5.4
IBM WebSphere Application Server Liberty Profile 8.5.5.3
IBM WebSphere Application Server Liberty Profile 8.5.5.2
IBM WebSphere Application Server Liberty Profile 8.5.5.1
IBM WebSphere Application Server Liberty Profile 8.5
IBM Care management 6.0
IBM Cúram Social Program Management 6.0.5
IBM Cúram Social Program Management 6.0.4
IBM Cúram Social Program Management 6.1
IBM Cúram Social Program Management 6.0 SP2
IBM Cúram Social Program Management 5.2 SP6
Apache Wss4j 1.6.14
Apache Wss4j 2.0.1
Apache Wss4j 1.6.16
Apache Wss4j 1.6.15
Apache Wss4j 1.6.13
Apache Wss4j 1.6.12
Apache Wss4j 1.6.11
Apache Wss4j 1.6.10
Redhat JBoss Enterprise Application Platform 6.4
Redhat JBoss A-MQ 6.2
IBM WebSphere Application Server Liberty Profile 8.5.5.6
Apache Wss4j 2.0.2
Apache Wss4j 1.6.17
Exploit
Attackers can use readily available tools to exploit this issue.
References:
- Apache WSS4J Homepage (The Apache Software Foundation)
- CVE-2015-0226: Apache WSS4J is (still) vulnerable to Bleichenbacher's attack (The Apache Software Foundation)
- Important: Red Hat JBoss A-MQ 6.2.0 update (Red Hat)
- Important: Red Hat JBoss Fuse 6.2.0 update (Red Hat)
- Oracle Critical Patch Update Advisory - July 2019 (Oracle)
- RHSA-2015-0849 (Red Hat)
- swg21959083: Security Bulletin: Multiple Security Vulnerabilities fixed in IBM W (IBM)
- swg21964133: Vulnerabilities in WSS4J affects IBM C?ram (CVE-2015-0226 & CVE-201 (IBM)