https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Bug ID: 1455566 Summary: CVE-2014-9970 jasypt: Vulnerable to timing attack against the password hash comparison Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: abhgupta@redhat.com, aileenc@redhat.com, alazarot@redhat.com, bbaranow@redhat.com, bmaxwell@redhat.com, bmcclain@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, csutherl@redhat.com, dandread@redhat.com, darran.lofthouse@redhat.com, dblechte@redhat.com, dosoudil@redhat.com, eedri@redhat.com, etirelli@redhat.com, gvarsami@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jcoleman@redhat.com, jshepherd@redhat.com, kconner@redhat.com, kseifried@redhat.com, kverlaen@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, lpetrovi@redhat.com, mbaluch@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mwinkler@redhat.com, myarboro@redhat.com, nwallace@redhat.com, pavelp@redhat.com, pgier@redhat.com, psakar@redhat.com, pslavice@redhat.com, psotirop@redhat.com, puntogil@libero.it, rnetuka@redhat.com, rrajasek@redhat.com, rsvoboda@redhat.com, rwagner@redhat.com, rzhang@redhat.com, sherold@redhat.com, tcunning@redhat.com, tiwillia@redhat.com, tkirby@redhat.com, twalsh@redhat.com, vtunka@redhat.com, ydary@redhat.com, ykaul@redhat.com
It was found that jasypt before allows a timing attack against the password hash comparison.
Upstream patch:
https://sourceforge.net/p/jasypt/code/668/
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jasypt 1.9.2
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1455570
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0220,reported=20170521,sour |0220,reported=20170521,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jasypt=notaffected,amq- |all/jasypt=notaffected,amq- |6/jasypt=notaffected,bpms-6 |6/jasypt=notaffected,bpms-6 |/jasypt=new,jdg-7/jasypt=ne |/jasypt=affected,jdg-7/jasy |w,eap-7/jasypt=new,brms-5/j |pt=new,eap-7/jasypt=new,brm |asypt=new,fsw-6/jasypt=new, |s-5/jasypt=wontfix,fsw-6/ja |fuse-6/jasypt=notaffected,o |sypt=wontfix,fuse-6/jasypt= |penshift-enterprise-2/jasyp |notaffected,openshift-enter |t=new,rhsso-7/jasypt=new,rh |prise-2/jasypt=new,rhsso-7/ |ev-m-4/jasypt=new |jasypt=new,rhev-m-4/jasypt= | |new,brms-6/jasypt=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Bharti Kundal bkundal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bkundal@redhat.com Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0220,reported=20170521,sour |0220,reported=20170521,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jasypt=notaffected,amq- |all/jasypt=notaffected,amq- |6/jasypt=notaffected,bpms-6 |6/jasypt=notaffected,bpms-6 |/jasypt=affected,jdg-7/jasy |/jasypt=affected,jdg-7/jasy |pt=new,eap-7/jasypt=new,brm |pt=new,eap-7/jasypt=affecte |s-5/jasypt=wontfix,fsw-6/ja |d,brms-5/jasypt=wontfix,fsw |sypt=wontfix,fuse-6/jasypt= |-6/jasypt=wontfix,fuse-6/ja |notaffected,openshift-enter |sypt=notaffected,openshift- |prise-2/jasypt=new,rhsso-7/ |enterprise-2/jasypt=new,rhs |jasypt=new,rhev-m-4/jasypt= |so-7/jasypt=new,rhev-m-4/ja |new,brms-6/jasypt=affected |sypt=new,brms-6/jasypt=affe | |cted
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0220,reported=20170521,sour |0220,reported=20170521,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jasypt=notaffected,amq- |all/jasypt=notaffected,amq- |6/jasypt=notaffected,bpms-6 |6/jasypt=notaffected,bpms-6 |/jasypt=affected,jdg-7/jasy |/jasypt=affected,jdg-7/jasy |pt=new,eap-7/jasypt=affecte |pt=affected,eap-7/jasypt=af |d,brms-5/jasypt=wontfix,fsw |fected,brms-5/jasypt=wontfi |-6/jasypt=wontfix,fuse-6/ja |x,fsw-6/jasypt=wontfix,fuse |sypt=notaffected,openshift- |-6/jasypt=notaffected,opens |enterprise-2/jasypt=new,rhs |hift-enterprise-2/jasypt=ne |so-7/jasypt=new,rhev-m-4/ja |w,rhsso-7/jasypt=new,rhev-m |sypt=new,brms-6/jasypt=affe |-4/jasypt=new,brms-6/jasypt |cted |=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0220,reported=20170521,sour |0220,reported=20170521,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jasypt=notaffected,amq- |all/jasypt=notaffected,amq- |6/jasypt=notaffected,bpms-6 |6/jasypt=notaffected,bpms-6 |/jasypt=affected,jdg-7/jasy |/jasypt=affected,jdg-7/jasy |pt=affected,eap-7/jasypt=af |pt=new,eap-7/jasypt=affecte |fected,brms-5/jasypt=wontfi |d,brms-5/jasypt=wontfix,fsw |x,fsw-6/jasypt=wontfix,fuse |-6/jasypt=wontfix,fuse-6/ja |-6/jasypt=notaffected,opens |sypt=notaffected,openshift- |hift-enterprise-2/jasypt=ne |enterprise-2/jasypt=new,rhs |w,rhsso-7/jasypt=new,rhev-m |so-7/jasypt=new,rhev-m-4/ja |-4/jasypt=new,brms-6/jasypt |sypt=new,brms-6/jasypt=affe |=affected |cted
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0220,reported=20170521,sour |0220,reported=20170521,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jasypt=notaffected,amq- |all/jasypt=notaffected,amq- |6/jasypt=notaffected,bpms-6 |6/jasypt=notaffected,bpms-6 |/jasypt=affected,jdg-7/jasy |/jasypt=affected,jdg-7/jasy |pt=new,eap-7/jasypt=affecte |pt=new,eap-7/jasypt=affecte |d,brms-5/jasypt=wontfix,fsw |d,brms-5/jasypt=wontfix,fsw |-6/jasypt=wontfix,fuse-6/ja |-6/jasypt=wontfix,fuse-6/ja |sypt=notaffected,openshift- |sypt=notaffected,openshift- |enterprise-2/jasypt=new,rhs |enterprise-2/jasypt=new,rhs |so-7/jasypt=new,rhev-m-4/ja |so-7/jasypt=new,rhev-m-4/ja |sypt=new,brms-6/jasypt=affe |sypt=affected,brms-6/jasypt |cted |=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1472046
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Doc Type|If docs needed, set a value |Bug Fix
--- Doc Text *updated* --- A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1477305
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
--- Comment #4 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss BRMS
Via RHSA-2017:2547 https://access.redhat.com/errata/RHSA-2017:2547
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
--- Comment #5 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss BPM Suite
Via RHSA-2017:2546 https://access.redhat.com/errata/RHSA-2017:2546
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Bharti Kundal bkundal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1493931
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
--- Comment #6 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
--- Comment #7 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
--- Comment #8 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6
Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6
Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
--- Comment #10 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHEV 4.X RHEV-H and Agents for RHEL-7
Via RHSA-2017:3141 https://access.redhat.com/errata/RHSA-2017:3141
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Bharti Kundal bkundal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1520314
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bdawidow@redhat.com, | |drieden@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0220,reported=20170521,sour |0220,reported=20170520,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jasypt=notaffected,amq- |all/jasypt=notaffected,amq- |6/jasypt=notaffected,bpms-6 |6/jasypt=notaffected,bpms-6 |/jasypt=affected,jdg-7/jasy |/jasypt=affected,jdg-7/jasy |pt=new,eap-7/jasypt=affecte |pt=affected,eap-7/jasypt=af |d,brms-5/jasypt=wontfix,fsw |fected,brms-5/jasypt=wontfi |-6/jasypt=wontfix,fuse-6/ja |x,fsw-6/jasypt=wontfix,fuse |sypt=notaffected,openshift- |-6/jasypt=notaffected,opens |enterprise-2/jasypt=new,rhs |hift-enterprise-2/jasypt=ne |so-7/jasypt=new,rhev-m-4/ja |w,rhsso-7/jasypt=affected,r |sypt=affected,brms-6/jasypt |hev-m-4/jasypt=affected,brm |=affected |s-6/jasypt=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Bharti Kundal bkundal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|1520314 |
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
Viliam Križan vkrizan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0220,reported=20170520,sour |0220,reported=20170521,sour |ce=cve,cvss3=5.1/CVSS:3.0/A |ce=cve,cvss3=5.1/CVSS:3.0/A |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |V:L/AC:H/PR:N/UI:N/S:U/C:H/ |I:N/A:N,cwe=CWE-385,fedora- |I:N/A:N,cwe=CWE-385,fedora- |all/jasypt=notaffected,amq- |all/jasypt=notaffected,amq- |6/jasypt=notaffected,bpms-6 |6/jasypt=notaffected,bpms-6 |/jasypt=affected,jdg-7/jasy |/jasypt=affected,jdg-7/jasy |pt=affected,eap-7/jasypt=af |pt=affected,eap-7/jasypt=af |fected,brms-5/jasypt=wontfi |fected,brms-5/jasypt=wontfi |x,fsw-6/jasypt=wontfix,fuse |x,fsw-6/jasypt=wontfix,fuse |-6/jasypt=notaffected,opens |-6/jasypt=notaffected,opens |hift-enterprise-2/jasypt=ne |hift-enterprise-2/jasypt=ne |w,rhsso-7/jasypt=affected,r |w,rhsso-7/jasypt=affected,r |hev-m-4/jasypt=affected,brm |hev-m-4/jasypt=affected,brm |s-6/jasypt=affected |s-6/jasypt=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1455566
--- Comment #18 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Data Grid
Via RHSA-2018:0294 https://access.redhat.com/errata/RHSA-2018:0294
java-sig-commits@lists.fedoraproject.org