IBM Security Bulletin: Vulnerabilities in WSS4J affects IBM Cúram (CVE-2015-0226 & CVE-2015-0227 )

IBM Cúram is shipped with a third party library called WSS4J, which is vulnerable to an attack on XML Encryption. WSS4J also fails to properly enforce the requireSignedEncryptedDataElements property which leaves it vulnerable to XML Signature wrapping...

from IBM Product Security Incident Response Team http://ift.tt/1VuVwLO