https://bugzilla.redhat.com/show_bug.cgi?id=1464158
Bug ID: 1464158 Summary: CVE-2017-9735 jetty: Timing channel attack in util/security/Password.java Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: eclipse-sig@lists.fedoraproject.org, hhorak@redhat.com, java-sig-commits@lists.fedoraproject.org, jjohnstn@redhat.com, jorton@redhat.com, krzysztof.daniel@gmail.com, mizdebsk@redhat.com, msimacek@redhat.com
Jetty is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Upstream issue:
https://github.com/eclipse/jetty.project/issues/1556
Upstream patch:
https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5...
https://bugzilla.redhat.com/show_bug.cgi?id=1464158
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1464159
--- Comment #1 from Andrej Nemec anemec@redhat.com --- Created jetty tracking bugs for this issue:
Affects: fedora-all [bug 1464159]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1464159 [Bug 1464159] CVE-2017-9735 jetty: Timing channel attack in util/security/Password.java [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1464158
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1464160
https://bugzilla.redhat.com/show_bug.cgi?id=1464158
Dhiru Kholia dkholia@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |java-maint@redhat.com Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0516,reported=20170616,sour |0516,reported=20170616,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jetty=affected,rhel-6/j |all/jetty=affected,rhel-6/j |etty-eclipse=new,rhel-7/jet |etty-eclipse=new,rhel-7/jet |ty-eclipse=new,rhscl-2/rh-j |ty=new,rhscl-2/rh-java-comm |ava-common-jetty=new |on-jetty=new
https://bugzilla.redhat.com/show_bug.cgi?id=1464158
Dhiru Kholia dkholia@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0516,reported=20170616,sour |0516,reported=20170616,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jetty=affected,rhel-6/j |all/jetty=affected,rhel-6/j |etty-eclipse=new,rhel-7/jet |etty-eclipse=new,rhel-7/jet |ty=new,rhscl-2/rh-java-comm |ty=wontfix,rhscl-2/rh-java- |on-jetty=new |common-jetty=new
https://bugzilla.redhat.com/show_bug.cgi?id=1464158
Dhiru Kholia dkholia@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0516,reported=20170616,sour |0516,reported=20170616,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jetty=affected,rhel-6/j |all/jetty=affected,rhel-6/j |etty-eclipse=new,rhel-7/jet |etty-eclipse=wontfix,rhel-7 |ty=wontfix,rhscl-2/rh-java- |/jetty=wontfix,rhscl-2/rh-j |common-jetty=new |ava-common-jetty=new
https://bugzilla.redhat.com/show_bug.cgi?id=1464158
Dhiru Kholia dkholia@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0516,reported=20170616,sour |0516,reported=20170616,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jetty=affected,rhel-6/j |all/jetty=affected,rhel-6/j |etty-eclipse=wontfix,rhel-7 |etty-eclipse=wontfix,rhel-7 |/jetty=wontfix,rhscl-2/rh-j |/jetty=wontfix,rhscl-2/rh-j |ava-common-jetty=new |ava-common-jetty=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1464158
--- Comment #4 from Dhiru Kholia dkholia@redhat.com --- Statement:
Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/
https://bugzilla.redhat.com/show_bug.cgi?id=1464158
Dhiru Kholia dkholia@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2017-07-05 04:00:06
https://bugzilla.redhat.com/show_bug.cgi?id=1464158 Bug 1464158 depends on bug 1464159, which changed state.
Bug 1464159 Summary: CVE-2017-9735 jetty: Timing channel attack in util/security/Password.java [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1464159
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1464158
Hooman Broujerdi hghasemb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |hghasemb@redhat.com Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0516,reported=20170616,sour |0516,reported=20170616,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jetty=affected,rhel-6/j |all/jetty=affected,rhel-6/j |etty-eclipse=wontfix,rhel-7 |etty-eclipse=wontfix,rhel-7 |/jetty=wontfix,rhscl-2/rh-j |/jetty=wontfix,rhscl-2/rh-j |ava-common-jetty=wontfix |ava-common-jetty=wontfix,fi | |s-2/jetty=affected
eclipse-sig@lists.fedoraproject.org