Bug 1058454 - CVE-2013-1624 bouncycastle: TLS CBC padding timing attack [jpp-6.2.0]
Summary: CVE-2013-1624 bouncycastle: TLS CBC padding timing attack [jpp-6.2.0]
Alias: None
Product: JBoss Enterprise Portal Platform 6
Classification: JBoss
Component: unspecified
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ER05
: 6.2.0
Assignee: hfnukal@redhat.com
QA Contact: Filip Kiss
Depends On:
Blocks: CVE-2013-1624 1082914 1082938
TreeView+ depends on / blocked
Reported: 2014-01-27 20:10 UTC by Chess Hazlett
Modified: 2015-05-14 15:15 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Last Closed: 2015-05-14 15:15:30 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Description Chess Hazlett 2014-01-27 20:10:19 UTC

Comment 3 Arun Babu Neelicattu 2014-04-01 07:04:53 UTC
Recommended fix: Upgrade to bouncycastle >= 1.48

Comment 4 Arun Babu Neelicattu 2014-07-24 06:09:58 UTC
Retargeting this to JPP 6.2.0.

Comment 5 Arun Babu Neelicattu 2014-07-24 06:13:35 UTC
This was retargeted due to an overwhelming lack of progress. This was exptected to be fixed before 6.2.0.

Comment 7 Filip Kiss 2014-09-09 12:06:30 UTC
Hi Chess,
can you please provide me a link with reproducer for this issue ?

Thank you,
Filip Kiss

Comment 8 Chess Hazlett 2014-09-19 17:09:21 UTC
Filip, we don't have a reproducer for this flaw.  For other product fixes for this CVE, we've been verifying that updated bc jars are in use.  The correct bc jars (1.50, need >1.48) are in CR1 as of 2014-09-19.

Comment 10 errata-xmlrpc 2015-05-14 15:15:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.