https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Bug ID: 1455566 Summary: CVE-2014-9970 jasypt: Vulnerable to timing attack against the password hash comparison Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: abhgupta@redhat.com, aileenc@redhat.com, alazarot@redhat.com, bbaranow@redhat.com, bmaxwell@redhat.com, bmcclain@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, csutherl@redhat.com, dandread@redhat.com, darran.lofthouse@redhat.com, dblechte@redhat.com, dosoudil@redhat.com, eedri@redhat.com, etirelli@redhat.com, gvarsami@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jcoleman@redhat.com, jshepherd@redhat.com, kconner@redhat.com, kseifried@redhat.com, kverlaen@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, lpetrovi@redhat.com, mbaluch@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mwinkler@redhat.com, myarboro@redhat.com, nwallace@redhat.com, pavelp@redhat.com, pgier@redhat.com, psakar@redhat.com, pslavice@redhat.com, psotirop@redhat.com, puntogil@libero.it, rnetuka@redhat.com, rrajasek@redhat.com, rsvoboda@redhat.com, rwagner@redhat.com, rzhang@redhat.com, sherold@redhat.com, tcunning@redhat.com, tiwillia@redhat.com, tkirby@redhat.com, twalsh@redhat.com, vtunka@redhat.com, ydary@redhat.com, ykaul@redhat.com
It was found that jasypt before allows a timing attack against the password hash comparison.
Upstream patch:
https://sourceforge.net/p/jasypt/code/668/