Bug 1700016 (CVE-2019-0231)
| Summary: | CVE-2019-0231 mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure. | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, alazarot, anstephe, bbuckingham, bcourt, bkearney, btotty, chazlett, dbecker, drieden, etirelli, gvarsami, hhudgeon, ibek, jcoleman, jjoyce, jochrist, jolee, jschatte, jschluet, jstastny, kbasil, kconner, krathod, kverlaen, ldimaggi, lhh, lpeer, lzap, mburns, mhulan, mkolesni, mmccune, nwallace, paradhya, rchan, rjerrido, rrajasek, rsynek, rwagner, sclewis, scohen, sdaley, sisharma, slinaber, tcunning, tkirby, vbellur, vhalbert |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | apache-mina 2.0.21, apache-mina 2.1.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A cryptographic protocol integrity flaw was discovered in Apache Mina. The closure of a TLS session would not always result in closure of the socket, allowing the conversation to continue in clear text. This could undermine the confidentiality of a connection and potentially disclose sensitive information to third-party attackers.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-16 10:17:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1706022, 1744395 | ||
| Bug Blocks: | 1700018 | ||
|
Description
Marian Rehak
2019-04-15 15:16:49 UTC
External References: https://www.openwall.com/lists/oss-security/2019/04/14/1 Statement: * Red Hat OpenStack Platform's OpenDaylight versions 8-10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library. * This issue affects the version of apache-mina shipped with Red Hat Gluster Storage 3, as it contains the vulnerable functionality. This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6 * Red Hat JBoss BPM Suite 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss BRMS 6 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss SOA Platform 5 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899 This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 7 Via RHSA-2020:1454 https://access.redhat.com/errata/RHSA-2020:1454 This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192 |