https://bugzilla.redhat.com/show_bug.cgi?id=1774726
Bug ID: 1774726 Summary: CVE-2019-12422 shiro: Cookie padding oracle vulnerability with default configuration Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: aileenc@redhat.com, ataylor@redhat.com, chazlett@redhat.com, dbecker@redhat.com, drieden@redhat.com, extras-orphan@fedoraproject.org, ganandan@redhat.com, ggaughan@redhat.com, gvarsami@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jcoleman@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jschluet@redhat.com, kbasil@redhat.com, kconner@redhat.com, ldimaggi@redhat.com, lhh@redhat.com, lpeer@redhat.com, mburns@redhat.com, mkolesni@redhat.com, nwallace@redhat.com, puntogil@libero.it, rwagner@redhat.com, sclewis@redhat.com, scohen@redhat.com, slinaber@redhat.com, tcunning@redhat.com, tkirby@redhat.com Target Milestone: --- Classification: Other
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce2...
https://bugzilla.redhat.com/show_bug.cgi?id=1774726
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1774727
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created shiro tracking bugs for this issue:
Affects: fedora-all [bug 1774727]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1774727 [Bug 1774727] CVE-2019-12422 shiro: Cookie padding oracle vulnerability with default configuration [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1774726
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1774728
https://bugzilla.redhat.com/show_bug.cgi?id=1774726
--- Comment #2 from Kunjan Rathod krathod@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1774726
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2019-12-11 01:24:05
--- Comment #5 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-12422
https://bugzilla.redhat.com/show_bug.cgi?id=1774726
--- Comment #8 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.6.0
Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
https://bugzilla.redhat.com/show_bug.cgi?id=1774726
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0983
https://bugzilla.redhat.com/show_bug.cgi?id=1774726 Bug 1774726 depends on bug 1774727, which changed state.
Bug 1774727 Summary: CVE-2019-12422 shiro: Cookie padding oracle vulnerability with default configuration [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1774727
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org