Описание
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.
It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | cxf | Not affected | ||
| Red Hat JBoss BRMS 5 | cxf | Not affected | ||
| Red Hat JBoss BRMS 6 | cxf | Not affected | ||
| Red Hat JBoss Data Grid 6 | cxf | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | cxf | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | cxf | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | cxf | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 7 | cxf | Not affected | ||
| Red Hat JBoss Fuse Service Works 6.0.0 | cxf | Not affected | ||
| Red Hat JBoss Operations Network 3 | cxf | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.
EPSS
5.3 Medium
CVSS3