Bug 1058454

Summary: CVE-2013-1624 bouncycastle: TLS CBC padding timing attack [jpp-6.2.0]
Product: [JBoss] JBoss Enterprise Portal Platform 6 Reporter: Chess Hazlett <chazlett>
Component: unspecifiedAssignee: hfnukal <hfnukal>
Status: CLOSED ERRATA QA Contact: Filip Kiss <fkiss>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1.0CC: bdawidow, chazlett, epp-bugs, grocha, hfnukal, mweiler, vramik
Target Milestone: ER05Keywords: Security, SecurityTracking
Target Release: 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-14 15:15:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 908428, 1082914, 1082938    

Description Chess Hazlett 2014-01-27 20:10:19 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=908428

Comment 3 Arun Babu Neelicattu 2014-04-01 07:04:53 UTC
Recommended fix: Upgrade to bouncycastle >= 1.48

Comment 4 Arun Babu Neelicattu 2014-07-24 06:09:58 UTC
Retargeting this to JPP 6.2.0.

Comment 5 Arun Babu Neelicattu 2014-07-24 06:13:35 UTC
This was retargeted due to an overwhelming lack of progress. This was exptected to be fixed before 6.2.0.

Comment 7 Filip Kiss 2014-09-09 12:06:30 UTC
Hi Chess,
can you please provide me a link with reproducer for this issue ?

Thank you,
Filip Kiss

Comment 8 Chess Hazlett 2014-09-19 17:09:21 UTC
Filip, we don't have a reproducer for this flaw.  For other product fixes for this CVE, we've been verifying that updated bc jars are in use.  The correct bc jars (1.50, need >1.48) are in CR1 as of 2014-09-19.

Comment 10 errata-xmlrpc 2015-05-14 15:15:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1009.html