Bug 1455566 – CVE-2014-9970 jasypt: Vulnerable to timing attack against the password hash comparison

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1455566 - (CVE-2014-9970) CVE-2014-9970 jasypt: Vulnerable to timing attack against the password hash comparison

Summary:	CVE-2014-9970 jasypt: Vulnerable to timing attack against the password hash c...

Status:	NEW

Aliases:	CVE-2014-9970

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170220,repor...
Keywords:	Security

Depends On:	1472046
Blocks:	1455570 1477305 1493931
	Show dependency tree / graph

Reported:	2017-05-25 09:32 EDT by Andrej Nemec
Modified:	2018-10-19 17:41 EDT (History)
CC List:	51 users (show)

See Also:
Fixed In Version:	jasypt 1.9.2
Doc Type:	Bug Fix
Doc Text:	A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:2546	normal	SHIPPED_LIVE	Important: Red Hat JBoss BPM Suite 6.4.5 security update	2017-08-29 19:40:38 EDT
Red Hat Product Errata	RHSA-2017:2547	normal	SHIPPED_LIVE	Important: Red Hat JBoss BRMS 6.4.5 security update	2017-08-29 19:40:27 EDT
Red Hat Product Errata	RHSA-2017:2808	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform security update	2017-09-26 18:39:54 EDT
Red Hat Product Errata	RHSA-2017:2809	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform security update	2017-09-26 18:51:56 EDT
Red Hat Product Errata	RHSA-2017:2810	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform security update	2017-09-26 17:58:02 EDT
Red Hat Product Errata	RHSA-2017:2811	normal	SHIPPED_LIVE	Important: eap7-jboss-ec2-eap security update	2017-09-26 19:14:16 EDT
Red Hat Product Errata	RHSA-2017:3141	normal	SHIPPED_LIVE	Important: rhvm-appliance security, bug fix, and enhancement update	2017-11-07 17:23:02 EST
Red Hat Product Errata	RHSA-2018:0294	normal	SHIPPED_LIVE	Important: Red Hat JBoss Data Grid 7.1.2 security update	2018-02-12 17:19:54 EST

Groups: None (edit)

Description Andrej Nemec 2017-05-25 09:32:56 EDT

It was found that jasypt before allows a timing attack against the password hash comparison.

Upstream patch:

https://sourceforge.net/p/jasypt/code/668/

Comment 4 errata-xmlrpc 2017-08-29 15:41:16 EDT

This issue has been addressed in the following products:

  Red Hat JBoss BRMS

Via RHSA-2017:2547 https://access.redhat.com/errata/RHSA-2017:2547

Comment 5 errata-xmlrpc 2017-08-29 15:42:29 EDT

This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite

Via RHSA-2017:2546 https://access.redhat.com/errata/RHSA-2017:2546

Comment 6 errata-xmlrpc 2017-09-26 13:59:37 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0.8

Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810

Comment 7 errata-xmlrpc 2017-09-26 14:42:18 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808

Comment 8 errata-xmlrpc 2017-09-26 14:54:35 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809

Comment 9 errata-xmlrpc 2017-09-26 15:15:53 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811

Comment 10 errata-xmlrpc 2017-11-07 12:32:02 EST

This issue has been addressed in the following products:

  RHEV 4.X RHEV-H and Agents for RHEL-7

Via RHSA-2017:3141 https://access.redhat.com/errata/RHSA-2017:3141

Comment 18 errata-xmlrpc 2018-02-12 12:20:00 EST

This issue has been addressed in the following products:

  Red Hat JBoss Data Grid

Via RHSA-2018:0294 https://access.redhat.com/errata/RHSA-2018:0294

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
aileenc
alazarot
bbaranow
bdawidow
bmaxwell
bmcclain
cdewolf
chazlett
csutherl
dandread
darran.lofthouse
dblechte
dosoudil
drieden
eedri
etirelli
gvarsami
java-sig-commits
jawilson
jcoleman
jshepherd
kconner
kverlaen
ldimaggi
lgao
lpetrovi
mbaluch
mgoldboi
michal.skrivanek
mwinkler
myarboro
nwallace
pdrozd
pgier
psakar
pslavice
psotirop
rnetuka
rrajasek
rsvoboda
rwagner
rzhang
sthorger
tcunning
tiwillia
tkirby
twalsh
vtunka
ykaul
ylavi