Apache WSS4J has a "requireSignedEncryptedDataElements" boolean configuration property, which if set enforces that EncryptedData elements are in a signed subtree of the document. The default value of this property is "false". However, it is possible to circumvent this setting by various types of wrapping attacks. This has been fixed in revision: http://svn.apache.org/viewvc?view=revision&revision=1619359
Created wss4j tracking bugs for this issue: Affects: fedora-all [bug 1191455]
This issue has been addressed in the following products: Red Hat JBoss Data Grid 6.4 Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.0 Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html
This issue has been addressed in the following products: Red Hat JBoss A-MQ 6.2.0 Via RHSA-2015:1177 https://rhn.redhat.com/errata/RHSA-2015-1177.html
This issue has been addressed in the following products: Red Hat JBoss Fuse 6.2.0 Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html