Bug 1455566 (CVE-2014-9970)

Summary: CVE-2014-9970 jasypt: Vulnerable to timing attack against the password hash comparison
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, aileenc, alazarot, bbaranow, bdawidow, bmaxwell, bmcclain, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dblechte, dosoudil, drieden, eedri, etirelli, gvarsami, java-sig-commits, jawilson, jcoleman, jshepherd, kconner, kverlaen, ldimaggi, lgao, lpetrovi, mbaluch, mgoldboi, michal.skrivanek, mwinkler, myarboro, nwallace, pdrozd, pgier, psakar, pslavice, psotirop, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, sthorger, tcunning, tiwillia, tkirby, twalsh, vtunka, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasypt 1.9.2 Doc Type: Bug Fix
Doc Text:
A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:13:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1472046    
Bug Blocks: 1455570, 1477305, 1493931    

Description Andrej Nemec 2017-05-25 13:32:56 UTC 
It was found that jasypt before allows a timing attack against the password hash comparison.

Upstream patch:

https://sourceforge.net/p/jasypt/code/668/
Comment 4 errata-xmlrpc 2017-08-29 19:41:16 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS

Via RHSA-2017:2547 https://access.redhat.com/errata/RHSA-2017:2547
Comment 5 errata-xmlrpc 2017-08-29 19:42:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite

Via RHSA-2017:2546 https://access.redhat.com/errata/RHSA-2017:2546
Comment 6 errata-xmlrpc 2017-09-26 17:59:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0.8

Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810
Comment 7 errata-xmlrpc 2017-09-26 18:42:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808
Comment 8 errata-xmlrpc 2017-09-26 18:54:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809
Comment 9 errata-xmlrpc 2017-09-26 19:15:53 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811
Comment 10 errata-xmlrpc 2017-11-07 17:32:02 UTC 
This issue has been addressed in the following products:

  RHEV 4.X RHEV-H and Agents for RHEL-7

Via RHSA-2017:3141 https://access.redhat.com/errata/RHSA-2017:3141
Comment 18 errata-xmlrpc 2018-02-12 17:20:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Grid

Via RHSA-2018:0294 https://access.redhat.com/errata/RHSA-2018:0294