Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear-text messages which were supposed to be encrypted.
* Red Hat OpenStack Platform's OpenDaylight versions 8-10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.
* This issue affects the version of apache-mina shipped with Red Hat Gluster Storage 3, as it contains the vulnerable functionality.
This vulnerability is out of security support scope for the following products:
* Red Hat JBoss A-MQ 6
* Red Hat JBoss BPM Suite 6
* Red Hat JBoss BRMS 5
* Red Hat JBoss BRMS 6
* Red Hat JBoss Data Virtualization & Services 6
* Red Hat JBoss SOA Platform 5
* Red Hat JBoss Fuse Service Works 6
* Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.