Upgrade CXF to latest version to get rid of CVE-2022-46364 and

CVE-2022-46363 Also upgrade WSS4J to 2.4.1 which is supposed to work with CXF >= 3.4.*.
OxalisCommunity · Dec 20, 2022 · 824db31 · 824db31
1 parent 75d9a0c
commit 824db31
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/pom.xml b/pom.xml
@@ -97,8 +97,8 @@
 
         <peppol.sbdh.version>1.0.0</peppol.sbdh.version>
 
-        <cxf.version>3.3.8</cxf.version>
-        <wss4j.version>2.2.7</wss4j.version>
+        <cxf.version>3.5.5</cxf.version>
+        <wss4j.version>2.4.1</wss4j.version>
         <neethi.version>3.2.0</neethi.version>
         <soap.version>1.4.0</soap.version>
 

diff --git a/src/main/java/network/oxalis/as4/util/OxalisAlgorithmSuiteLoader.java b/src/main/java/network/oxalis/as4/util/OxalisAlgorithmSuiteLoader.java
@@ -70,13 +70,14 @@ public static class OxalisAlgorithmSuite extends AlgorithmSuite {
                             128, 128, 128, 256, 1024, 4096
                     )
             );
-            ALGORITHM_SUITE_TYPES.get(BASIC_128_GCM_SHA_256_MGF_SHA_256).setMGFAlgo(MGF_SHA256);
-            ALGORITHM_SUITE_TYPES.get(BASIC_128_GCM_SHA_256_MGF_SHA_256).setEncryptionDigest(SPConstants.SHA256);
+            AlgorithmSuiteType algorithmSuiteType = ALGORITHM_SUITE_TYPES.get(BASIC_128_GCM_SHA_256_MGF_SHA_256);
+            algorithmSuiteType.setMGFAlgo(MGF_SHA256);
+            algorithmSuiteType.setEncryptionDigest(SPConstants.SHA256);
+            algorithmSuiteType.setAsymmetricSignature("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
         }
 
         OxalisAlgorithmSuite(final SPConstants.SPVersion version, final Policy nestedPolicy) {
             super(version, nestedPolicy);
-            this.setAsymmetricSignature("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
         }
 
         @Override