Bug 1058457
Summary: | BPMS 6.0 is affected by CVE-2013-1624 bouncycastle: TLS CBC padding timing attack | ||
---|---|---|---|
Product: | [Retired] JBoss BPMS Platform 6 | Reporter: | Chess Hazlett <chazlett> |
Component: | Deployment | Assignee: | Geoffrey De Smet <gdesmet> |
Status: | CLOSED ERRATA | QA Contact: | Petr Široký <psiroky> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 6.0.0 | CC: | chazlett, djorm, etirelli, gdesmet, kverlaen, rrajasek |
Target Milestone: | ER2 | Keywords: | Security |
Target Release: | 6.0.1 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-04-03 21:23:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1058459 | ||
Bug Blocks: | 908428 |
Description
Chess Hazlett
2014-01-27 20:15:32 UTC
This flaw does not affect EAP. The affected component is bcprov-jdk14-138.jar, which ships as part of the generic deployable zip (but not the EAP deployable zip). Setting this back to 6.0.1?. Seems to be introduced by drools-verifier: [INFO] +- org.drools:drools-verifier:jar:6.1.0-SNAPSHOT:compile [INFO] | +- com.google.guava:guava:jar:13.0.1:compile [INFO] | \- com.lowagie:itext:jar:2.1.2:compile [INFO] | +- bouncycastle:bcmail-jdk14:jar:138:compile [INFO] | \- bouncycastle:bcprov-jdk14:jar:138:compile After doing a "mvn dependency:tree" on all of droolsjbpm (non-full build though), we see that bouncycastle comes in only through itext. In turn, itext is used by drools-verifier and jfreechart (which is used by optaplanner and dashboard-builder etc). *** Bug 1058459 has been marked as a duplicate of this bug. *** Fixed on master: https://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/c8e8dffd42fb353b32327aef254ebc15460e6412 Fixed on 6.0.x: https://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/87b099481ea3358142641077483fb12c323dfc29 PR for IP-bom: https://github.com/jboss-integration/jboss-integration-platform-bom/pull/44 Verified that the bcprov-jdk14 and bcmail-jdk14 jars are not present in the distribution zips. Once the Maven repo is available, I will verify also there. Verified fixed in 6.0.1-CR1. The Maven repo does not contain any bcprov or bcmail artifacts. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-0371.html |