CVE-2017-2585

Опубликовано: 04 апр. 2017

Источник: redhat

CVSS3: 3.7

CVSS2: 2.6

Описание

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.

It was found that keycloak's implementation of HMAC verification for JWS tokens uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Mobile Application Platform 4	keycloak	Will not fix
Red Hat Single Sign-On 7.1		Fixed	RHSA-2017:0876	04.04.2017
Red Hat Single Sign-On 7.1 for RHEL 6	rh-sso7	Fixed	RHSA-2017:0872	04.04.2017
Red Hat Single Sign-On 7.1 for RHEL 6	rh-sso7-freemarker	Fixed	RHSA-2017:0872	04.04.2017
Red Hat Single Sign-On 7.1 for RHEL 6	rh-sso7-javapackages-tools	Fixed	RHSA-2017:0872	04.04.2017
Red Hat Single Sign-On 7.1 for RHEL 6	rh-sso7-keycloak	Fixed	RHSA-2017:0872	04.04.2017
Red Hat Single Sign-On 7.1 for RHEL 6	rh-sso7-libunix-dbus-java	Fixed	RHSA-2017:0872	04.04.2017
Red Hat Single Sign-On 7.1 for RHEL 6	rh-sso7-liquibase	Fixed	RHSA-2017:0872	04.04.2017
Red Hat Single Sign-On 7.1 for RHEL 6	rh-sso7-twitter4j	Fixed	RHSA-2017:0872	04.04.2017
Red Hat Single Sign-On 7.1 for RHEL 6	rh-sso7-zxing	Fixed	RHSA-2017:0872	04.04.2017

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-385

https://bugzilla.redhat.com/show_bug.cgi?id=1412376keycloak: timing attack in JWS signature verification

3.7 Low

CVSS3

2.6 Low

CVSS2

Связанные уязвимости

CVE-2017-2585

CVSS3: 5.9

nvd

почти 8 лет назад

CVE-2017-2585

CVSS3: 5.9

debian

почти 8 лет назад

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC ve ...

GHSA-w6gv-3r3v-gwgj

CVSS3: 5.9

github

больше 7 лет назад

keycloak-core vulnerable to timing attacks against JWS token verification

3.7 Low

CVSS3

2.6 Low

CVSS2