Bug 1700016 (CVE-2019-0231) - CVE-2019-0231 mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure.
Summary: CVE-2019-0231 mina-core: Retaining an open socket in close_notify SSL-TLS lea...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-0231
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1706022 1744395
Blocks: 1700018
TreeView+ depends on / blocked
 
Reported: 2019-04-15 15:16 UTC by Marian Rehak
Modified: 2021-12-14 18:47 UTC (History)
49 users (show)

Fixed In Version: apache-mina 2.0.21, apache-mina 2.1.1
Doc Type: If docs needed, set a value
Doc Text:
A cryptographic protocol integrity flaw was discovered in Apache Mina. The closure of a TLS session would not always result in closure of the socket, allowing the conversation to continue in clear text. This could undermine the confidentiality of a connection and potentially disclose sensitive information to third-party attackers.
Clone Of:
Environment:
Last Closed: 2020-03-16 10:17:57 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0895 0 None None None 2020-03-18 14:51:53 UTC
Red Hat Product Errata RHSA-2020:0899 0 None None None 2020-03-18 17:38:04 UTC
Red Hat Product Errata RHSA-2020:1454 0 None None None 2020-04-14 13:22:06 UTC
Red Hat Product Errata RHSA-2020:3192 0 None None None 2020-07-28 15:54:29 UTC

Description Marian Rehak 2019-04-15 15:16:49 UTC 
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear-text messages which were supposed to be encrypted.
Comment 1 Marian Rehak 2019-04-17 09:52:10 UTC 
External References:

https://www.openwall.com/lists/oss-security/2019/04/14/1
Comment 3 Hardik Vyas 2019-05-03 12:04:48 UTC 
Statement:

* Red Hat OpenStack Platform's OpenDaylight versions 8-10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.

* This issue affects the version of apache-mina shipped with Red Hat Gluster Storage 3, as it contains the vulnerable functionality.
Comment 5 Joshua Padman 2019-05-15 23:04:27 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss A-MQ 6
 * Red Hat JBoss BPM Suite 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss SOA Platform 5
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 11 errata-xmlrpc 2020-03-18 14:51:50 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895
Comment 12 errata-xmlrpc 2020-03-18 17:37:57 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
Comment 13 errata-xmlrpc 2020-04-14 13:22:04 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 7

Via RHSA-2020:1454 https://access.redhat.com/errata/RHSA-2020:1454
Comment 14 errata-xmlrpc 2020-07-28 15:54:25 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
Note You need to log in before you can comment on or make changes to this bug.