CyberSource
diff --git a/‎README.md‎
Lines changed: 24 additions & 13 deletions b/‎README.md‎
Lines changed: 24 additions & 13 deletions
diff --git a/‎java/pom.xml‎
Lines changed: 79 additions & 13 deletions b/‎java/pom.xml‎
Lines changed: 79 additions & 13 deletions
diff --git a/‎java/src/main/java/com/cybersource/ws/client/MessageHandlerKeyStore.java‎
Lines changed: 3 additions & 5 deletions b/‎java/src/main/java/com/cybersource/ws/client/MessageHandlerKeyStore.java‎
Lines changed: 3 additions & 5 deletions
@@ -1,6 +1,6 @@
 # CyberSource Simple Order API for Java
 
-[![Build Status](https://travis-ci.org/CyberSource/cybersource-sdk-java.png?branch=future)](https://travis-ci.org/CyberSource/cybersource-sdk-java)
+[![Build Status](https://travis-ci.org/CyberSource/cybersource-sdk-java.png?branch=master)](https://travis-ci.org/CyberSource/cybersource-sdk-java)
 
 ## Package Managers
 
@@ -227,33 +227,44 @@ Retry Pattern allows to retry sending a failed request and it will only work wit
   - Config parameter for this property is 'retryInterval' in `cybs.property` file. The default value for 'retryInterval' parameter is 1000 which means a delay of 1000 milliSeconds.
 
 ## Third Party jars
-    1. org.apache.ws.security.wss4j:1.6.19
-      The Apache WSS4J project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.
-    2. org.bouncycastle:bcprov-jdk15on:1.61
+    1. org.apache.wss4j:wss4j-ws-security-common:2.4.1
+      The Apache WSS4J project provides a Java implementation of the common primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.
+    2. org.apache.wss4j:wss4j-ws-security-dom:2.4.1
+      WSS4J 2.0.0 introduces a streaming (StAX-based) WS-Security implementation to complement the existing DOM-based implementation. The DOM-based implementation is quite performant and flexible, but suffers from having to read the entire XML tree into memory. For large SOAP requests this can have a detrimental impact on performance. In addition, for web services stacks such as Apache CXF which are streaming-based, it carries an additional performance penalty of having to explicitly convert the request stream to a DOM Element.
+    3. org.bouncycastle:bcprov-jdk15on:1.70
       This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
-    3. org.apache.santuario:xmlsec:1.5.6
+    4. org.apache.santuario:xmlsec:2.3.0
       The XML Security project is aimed at providing implementation of security standards for XML,supports XML-Signature Syntax and Processing,XML Encryption Syntax and Processing, and supports XML Digital Signature APIs.
-    4. org.apache.commons:commons-lang3:3.4
+    5. org.apache.commons:commons-lang3:3.4
       Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
-    5. commons-logging:commons-logging:jar:1.1.1
+    6. commons-logging:commons-logging:jar:1.1.1
       This is getting downloaded as compile time dependency of wss4j:1.6.19.Apache Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.
-    6. org.slf4j:slf4j-api:1.7.21 and org.slf4j:slf4j-jcl:1.7.21
+    7. org.slf4j:slf4j-api:1.7.32 and org.slf4j:slf4j-jcl:1.7.32
       slf4j-api is getting used as a dependency for wss4j. Modified to latest version.
-    7. junit:junit:4.13.1
+    8. junit:junit:4.13.1
       JUnit is a unit testing framework for Java.
-    8. org.mockito:mockito-all:1.10.19
+    9. org.mockito:mockito-all:1.10.19
       Mock objects library for java  
-    9. org.apache.httpcomponents:httpclient:4.5.13
+    10. org.apache.httpcomponents:httpclient:4.5.13
        Provides reusable components for client-side authentication, HTTP state management, and HTTP connection management. It is used for poolinghttpclientconnectionmanager feature.
-    10. org.apache.httpcomponents:httpcore:4.4.13
+    11. org.apache.httpcomponents:httpcore:4.4.13
        Provides low level HTTP transport components that can be used to build custom client and server side HTTP services with a minimal footprint.
 
 ## Changes
 _______________________________
-Version Cybersource-sdk-java 6.2.12 (MAY,2022)
+Version Cybersource-sdk-java 6.2.13 (AUGUST,2022)
 _______________________________
     1)Modified the CYBS P12 certificate's CN name verification to case insensitive.
 _______________________________
+
+_______________________________    
+Version Cybersource-sdk-java 6.2.12 (JULY,2022)
+_______________________________
+    1) Mitigation of Apache WSS4j Security Vulnerability (CVE-2016-1000343, CVE-2018-1000180).
+       i) Updated Apache wss4j version from 1.6.19 to 2.4.1
+       ii) Updated dependent libraries version. (xmlsec from 1.5.6 to 2.3.0, bcprov-jdk15on from 1.61 to 1.70)
+_______________________________
+_______________________________
 Version Cybersource-sdk-java 6.2.11 (MAY,2020)
 _______________________________
     1)Exception handling improvement.
 
@@ -2,17 +2,20 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 
     <modelVersion>4.0.0</modelVersion>
+
     <parent>
         <groupId>org.sonatype.oss</groupId>
         <artifactId>oss-parent</artifactId>
         <version>7</version>
     </parent>
+
     <groupId>com.cybersource</groupId>
     <artifactId>cybersource-sdk-java</artifactId>
-    <version>6.2.12-SNAPSHOT</version>
+    <version>6.2.13-SNAPSHOT</version>
     <name>cybersource-sdk-java</name>
     <description>Simple Order API Client</description>
     <url>http://www.cybersource.com</url>
+
     <licenses>
         <license>
             <name>CyberSource SDK License Agreement</name>
@@ -37,7 +40,17 @@
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+        <junit.version>4.13.1</junit.version>
+        <xalan.version>2.7.2</xalan.version>
+        <xmlsec.version>2.3.0</xmlsec.version>
+        <httpclient.version>4.5.13</httpclient.version>
+        <bouncycastle.version>1.70</bouncycastle.version>
+        <wss4j.version>2.4.1</wss4j.version>
+        <commonlang3.version>3.4</commonlang3.version>
+        <mockito.version>1.10.19</mockito.version>
+        <slf4j.version>1.7.32</slf4j.version>
     </properties>
+
     <packaging>jar</packaging>
 
     <profiles>
@@ -219,23 +232,29 @@
       <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
-            <version>4.13.1</version>
+            <version>${junit.version}</version>
             <scope>test</scope>
         </dependency>
        <dependency>
               <groupId>xalan</groupId>
              <artifactId>xalan</artifactId>
-             <version>2.7.2</version>
+             <version>${xalan.version}</version>
         </dependency>
         <dependency>
     		<groupId>org.apache.santuario</groupId>
     		<artifactId>xmlsec</artifactId>
-    		<version>1.5.6</version>
+    		<version>${xmlsec.version}</version>
+            <exclusions>
+               <exclusion>
+                    <artifactId>woodstox-core</artifactId>
+                    <groupId>com.fasterxml.woodstox</groupId>
+                </exclusion>
+            </exclusions>
 		</dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient</artifactId>
-            <version>4.5.13</version>
+            <version>${httpclient.version}</version>
             <exclusions>
                 <exclusion>
                     <groupId>commons-logging</groupId>
@@ -246,28 +265,75 @@
          <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
-            <version>1.61</version>
+            <version>${bouncycastle.version}</version>
         </dependency>
         <dependency>
-            <groupId>org.apache.ws.security</groupId>
-            <artifactId>wss4j</artifactId>
-            <version>1.6.19</version>
-	        <exclusions>
+            <groupId>org.apache.wss4j</groupId>
+            <artifactId>wss4j-ws-security-common</artifactId>
+            <version>${wss4j.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>cryptacular</artifactId>
+                    <groupId>org.cryptacular</groupId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>opensaml-saml-impl</artifactId>
+                    <groupId>org.opensaml</groupId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>opensaml-xacml-impl</artifactId>
+                    <groupId>org.opensaml</groupId>
+                </exclusion>
                 <exclusion>
+                    <artifactId>opensaml-xacml-saml-impl</artifactId>
                     <groupId>org.opensaml</groupId>
-                    <artifactId>opensaml</artifactId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>slf4j-api</artifactId>
+                    <groupId>org.slf4j</groupId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>joda-time</artifactId>
+                    <groupId>joda-time</groupId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>jasypt</artifactId>
+                    <groupId>org.jasypt</groupId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>geronimo-javamail_1.4_mail</artifactId>
+                    <groupId>org.apache.geronimo.javamail</groupId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>xmlsec</artifactId>
+                    <groupId>org.apache.santuario</groupId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.wss4j</groupId>
+            <artifactId>wss4j-ws-security-dom</artifactId>
+            <version>${wss4j.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.ehcache</groupId>
+                    <artifactId>ehcache</artifactId>
                 </exclusion>
             </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.4</version>
+            <version>${commonlang3.version}</version>
         </dependency>
         <dependency>
       	    <groupId>org.mockito</groupId>
             <artifactId>mockito-all</artifactId>
-            <version>1.10.19</version>
+            <version>${mockito.version}</version>
             <scope>test</scope>
         </dependency>
     </dependencies>
 
@@ -1,7 +1,6 @@
 package com.cybersource.ws.client;
 
-import org.apache.ws.security.components.crypto.CredentialException;
-import org.apache.ws.security.components.crypto.Merlin;
+import org.apache.wss4j.common.crypto.Merlin;
 
 import java.io.IOException;
 import java.security.KeyStoreException;
@@ -15,11 +14,10 @@
 public class MessageHandlerKeyStore extends Merlin {
 
     /**
-     * @throws CredentialException
      * @throws IOException
      */
-	public MessageHandlerKeyStore() throws CredentialException, IOException {
-        super(null);
+	public MessageHandlerKeyStore() {
+        super();
         properties = new Properties();
     }