Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
rhn.redhat.com/errata/RHSA-2015-0846.html
rhn.redhat.com/errata/RHSA-2015-0847.html
rhn.redhat.com/errata/RHSA-2015-0848.html
rhn.redhat.com/errata/RHSA-2015-0849.html
rhn.redhat.com/errata/RHSA-2015-1176.html
rhn.redhat.com/errata/RHSA-2015-1177.html
access.redhat.com/errata/RHSA-2016:1376
github.com/apache/ws-wss4j
github.com/apache/ws-wss4j/commit/970b3e3756e2c75bf2379ce198365e1a7168c3c3
github.com/apache/ws-wss4j/commit/de5104b30ddde5fe7388ad57e1c5ace5c5509924
nvd.nist.gov/vuln/detail/CVE-2015-0226
support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03900en_us
svn.apache.org/viewvc?view=revision&revision=1621329
ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc
www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html