Description

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor, allowing attackers to re-submit still-valid cryptographic material within the acceptance window.

Preconditions include validation of constructs that rely on replay detection, a service that accepts repeated SOAP messages over the network, and configurations that expect WSS4J replay caches to be enforced.

Affected Spring Products and Versions

Spring Web Services:

5.0.0 - 5.0.1
4.1.0 - 4.1.3
4.0.0 - 4.0.18
3.1.0 - 3.1.8

Versions that are no longer supported are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)	Fix version	Availability
5.0.x	5.0.2	OSS
	5.0.1.1	Enterprise Support Only
4.1.x	4.1.4	OSS
	4.1.3.1	Enterprise Support Only
4.0.x	4.0.19	Enterprise Support Only
3.1.x	3.1.9	Enterprise Support Only

If you are not able to upgrade, you can enable a replay cache by extending Wss4jSecurityInterceptor and overriding initializeValidationRequestData(MessageContext messageContext):

protected RequestData initializeValidationRequestData(MessageContext messageContext) {
    RequestData requestData = super.initializeValidationRequestData(messageContext);
	// Create ReplayCache according to your deployment scenario
	requestData.setNonceReplayCache(replayCache);
	requestData.setTimestampReplayCache(replayCache);
	requestData.setSamlOneTimeUseReplayCache(replayCache);
	return requestData;
}