Описание
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.
A cryptographic protocol integrity flaw was discovered in Apache Mina. The closure of a TLS session would not always result in closure of the socket, allowing the conversation to continue in clear text. This could undermine the confidentiality of a connection and potentially disclose sensitive information to third-party attackers.
Отчет
- Red Hat OpenStack Platform's OpenDaylight versions 8-10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.
- This issue affects the version of apache-mina shipped with Red Hat Gluster Storage 3, as it contains the vulnerable functionality.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | mina-core | Out of support scope | ||
| Red Hat JBoss A-MQ 6 | mina-core | Out of support scope | ||
| Red Hat JBoss BRMS 5 | mina-core | Out of support scope | ||
| Red Hat JBoss BRMS 6 | mina-core | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | mina-core | Out of support scope | ||
| Red Hat JBoss Fuse 6 | mina-core | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | mina-core | Out of support scope | ||
| Red Hat JBoss SOA Platform 5 | mina-core | Out of support scope | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 8 (Liberty) | opendaylight | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS3
Связанные уязвимости
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.
Handling of the close_notify SSL/TLS message does not lead to a connec ...
Cleartext Transmission of Sensitive Information in Apache MINA
EPSS
6.8 Medium
CVSS3