Bug 1058457
| Summary: | BPMS 6.0 is affected by CVE-2013-1624 bouncycastle: TLS CBC padding timing attack | ||
|---|---|---|---|
| Product: | [Retired] JBoss BPMS Platform 6 | Reporter: | Chess Hazlett <chazlett> |
| Component: | Deployment | Assignee: | Geoffrey De Smet <gdesmet> |
| Status: | CLOSED ERRATA | QA Contact: | Petr Široký <psiroky> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.0.0 | CC: | chazlett, djorm, etirelli, gdesmet, kverlaen, rrajasek |
| Target Milestone: | ER2 | Keywords: | Security |
| Target Release: | 6.0.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-04-03 21:23:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1058459 | ||
| Bug Blocks: | 908428 | ||
|
Description
Chess Hazlett
2014-01-27 20:15:32 UTC
This flaw does not affect EAP. The affected component is bcprov-jdk14-138.jar, which ships as part of the generic deployable zip (but not the EAP deployable zip). Setting this back to 6.0.1?. Seems to be introduced by drools-verifier: [INFO] +- org.drools:drools-verifier:jar:6.1.0-SNAPSHOT:compile [INFO] | +- com.google.guava:guava:jar:13.0.1:compile [INFO] | \- com.lowagie:itext:jar:2.1.2:compile [INFO] | +- bouncycastle:bcmail-jdk14:jar:138:compile [INFO] | \- bouncycastle:bcprov-jdk14:jar:138:compile After doing a "mvn dependency:tree" on all of droolsjbpm (non-full build though), we see that bouncycastle comes in only through itext. In turn, itext is used by drools-verifier and jfreechart (which is used by optaplanner and dashboard-builder etc). *** Bug 1058459 has been marked as a duplicate of this bug. *** Fixed on master: https://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/c8e8dffd42fb353b32327aef254ebc15460e6412 Fixed on 6.0.x: https://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/87b099481ea3358142641077483fb12c323dfc29 PR for IP-bom: https://github.com/jboss-integration/jboss-integration-platform-bom/pull/44 Verified that the bcprov-jdk14 and bcmail-jdk14 jars are not present in the distribution zips. Once the Maven repo is available, I will verify also there. Verified fixed in 6.0.1-CR1. The Maven repo does not contain any bcprov or bcmail artifacts. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-0371.html |