Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear-text messages which were supposed to be encrypted.
External References: https://www.openwall.com/lists/oss-security/2019/04/14/1
Statement: * Red Hat OpenStack Platform's OpenDaylight versions 8-10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library. * This issue affects the version of apache-mina shipped with Red Hat Gluster Storage 3, as it contains the vulnerable functionality.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6 * Red Hat JBoss BPM Suite 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss BRMS 6 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss SOA Platform 5 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 7 Via RHSA-2020:1454 https://access.redhat.com/errata/RHSA-2020:1454
This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192