Bug 1700016 (CVE-2019-0231) - CVE-2019-0231 mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure.
Summary: CVE-2019-0231 mina-core: Retaining an open socket in close_notify SSL-TLS lea...
Status: NEW
Alias: CVE-2019-0231
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190414,repor...
Keywords: Security
Depends On: 1706022
Blocks: 1700018
TreeView+ depends on / blocked
 
Reported: 2019-04-15 15:16 UTC by Marian Rehak
Modified: 2019-05-31 14:26 UTC (History)
50 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2019-04-15 15:16:49 UTC
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear-text messages which were supposed to be encrypted.

Comment 1 Marian Rehak 2019-04-17 09:52:10 UTC
External References:

https://www.openwall.com/lists/oss-security/2019/04/14/1

Comment 3 Hardik Vyas 2019-05-03 12:04:48 UTC
Statement:

* Red Hat OpenStack Platform's OpenDaylight versions 8-10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.

* This issue affects the version of apache-mina shipped with Red Hat Gluster Storage 3, as it contains the vulnerable functionality.

Comment 5 Joshua Padman 2019-05-15 23:04:27 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss A-MQ 6
 * Red Hat JBoss BPM Suite 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss SOA Platform 5
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.


Note You need to log in before you can comment on or make changes to this bug.