Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-8439

CVE-2017-9735 jetty: Timing channel attack in util/security/Password.java [fis-2.0]

    XMLWordPrintable

    Details

    • Security Sensitive Issue:
      This issue is security relevant

      Description

      Security Tracking Issue

      Do not make this issue public.

      This bug is subject to the Security Errata Policy.

      The overall impact of the blocking security issue(s) is Moderate. Based on this impact, this bug must be resolved by 16-May-2018.

      Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata

      Flaw:

      CVE-2017-9735 jetty: Timing channel attack in util/security/Password.java
      https://bugzilla.redhat.com/show_bug.cgi?id=1464158

      Jetty is prone to a timing channel attack in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

      Upstream issue:

      https://github.com/eclipse/jetty.project/issues/1556

      Upstream patch:

      https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                hooman_b2455 Hooman Broujerdi
                Tester:
                Lukas Lowinger
                Involved:
                Hooman Broujerdi
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: