Security Advisory - Published 2026-06-27 - Apache / Crypto
Apache and wolfSSL batch: check trust validation, path handling, and Kerberos pre-authentication
This batch mixes Apache service advisories and wolfSSL OpenSSL-compatibility validation issues. The practical work is version inventory, trust-chain review, path exposure checks, and preserving logs before library or service upgrades.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2025-55017 | Apache IoTDB | vendor-fixed release | trust and service logs | 9.1 |
| CVE-2025-64152 | Apache IoTDB | vendor-fixed release | trust and service logs | 9.1 |
| CVE-2026-11310 | wolfSSL | vendor-fixed release | trust and service logs | 8.7 |
| CVE-2026-11999 | wolfSSL | vendor-fixed release | trust and service logs | 8.2 |
| CVE-2026-55961 | wolfSSL | vendor-fixed release | trust and service logs | 8.2 |
| CVE-2026-57915 | Apache Kerby | vendor-fixed release | trust and service logs | 7.3 |
| CVE-2026-55964 | wolfSSL | vendor-fixed release | trust and service logs | 6.3 |
What to check
- Apache IoTDB deployments, exposed APIs, data directories, and file access controls.
- Apache Kerby use where Kerberos pre-authentication is relied on for boundary enforcement.
- wolfSSL builds with OpenSSL compatibility features enabled.
- Certificate validation failures, unusual trust-chain behavior, and PKCS#7/CMS verification paths.
- Services that vendor or statically link wolfSSL instead of using the OS package.
Safe fix path
- Apply the vendor update for Apache IoTDB, Apache Kerby, and wolfSSL or rebuild linked products with the fixed library.
- Review trust-store changes and intermediate certificate handling before closing the issue.
- Preserve authentication, certificate, and service logs from the exposure window.
- Retest application-level certificate validation after patching, using owned services only.
Compromise indicators
- New users, role changes, unexpected sessions, or unknown API tokens.
- Files changed during the exposure window, especially executable files or generated configs.
- Repeated application errors, database errors, queue failures, or unusual outbound requests.
- Plugin, container, service, or package versions that differ from the expected deployment record.
When to ask Ping7 for repair
Use Ping7 CVE Repair when the affected component is public, logs show suspicious activity, patching may break production, or cleanup requires file, database, user, token, or container review.