Bug 1058457 - BPMS 6.0 is affected by CVE-2013-1624 bouncycastle: TLS CBC padding timing attack
Summary: BPMS 6.0 is affected by CVE-2013-1624 bouncycastle: TLS CBC padding timing at...
Alias: None
Product: JBoss BPMS Platform 6
Classification: Retired
Component: Deployment
Version: 6.0.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ER2
: 6.0.1
Assignee: Geoffrey De Smet
QA Contact: Petr Široký
Depends On: 1058459
Blocks: CVE-2013-1624
TreeView+ depends on / blocked
Reported: 2014-01-27 20:15 UTC by Chess Hazlett
Modified: 2014-04-03 21:23 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-04-03 21:23:30 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0371 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.1 update 2014-04-04 01:19:56 UTC

Description Chess Hazlett 2014-01-27 20:15:32 UTC

Comment 5 David Jorm 2014-02-20 05:46:16 UTC
This flaw does not affect EAP. The affected component is bcprov-jdk14-138.jar, which ships as part of the generic deployable zip (but not the EAP deployable zip). Setting this back to 6.0.1?.

Comment 6 Kris Verlaenen 2014-02-20 15:00:39 UTC
Seems to be introduced by drools-verifier:

[INFO] +- org.drools:drools-verifier:jar:6.1.0-SNAPSHOT:compile
[INFO] |  +- com.google.guava:guava:jar:13.0.1:compile
[INFO] |  \- com.lowagie:itext:jar:2.1.2:compile
[INFO] |     +- bouncycastle:bcmail-jdk14:jar:138:compile
[INFO] |     \- bouncycastle:bcprov-jdk14:jar:138:compile

Comment 7 Geoffrey De Smet 2014-02-27 09:10:37 UTC
After doing a "mvn dependency:tree" on all of droolsjbpm (non-full build though), we see that bouncycastle comes in only through itext. In turn, itext is used by drools-verifier and jfreechart (which is used by optaplanner and dashboard-builder etc).

Comment 8 Geoffrey De Smet 2014-02-27 09:13:50 UTC
*** Bug 1058459 has been marked as a duplicate of this bug. ***

Comment 10 Petr Široký 2014-03-03 15:53:17 UTC
Verified that the bcprov-jdk14 and bcmail-jdk14 jars are not present in the distribution zips. Once the Maven repo is available, I will verify also there.

Comment 11 Petr Široký 2014-03-24 12:43:00 UTC
Verified fixed in 6.0.1-CR1. The Maven repo does not contain any bcprov or bcmail artifacts.

Comment 13 errata-xmlrpc 2014-04-03 21:23:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.