Описание
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network.
Меры по смягчению последствий
Avoid using an OpenSSL security provider and instead use the default configuration or regular JSSE provider with 'TLS'.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | wildfly | Not affected | ||
| Red Hat JBoss Data Grid 7 | wildfly | Affected | ||
| Red Hat JBoss Data Virtualization 6 | jbossas | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | wildfly | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 5 | jbossas | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | jbossas | Out of support scope | ||
| Red Hat JBoss Fuse 6 | wildfly | Out of support scope | ||
| Red Hat JBoss Operations Network 3 | wildfly | Out of support scope | ||
| Red Hat JBoss SOA Platform 5 | jbossas | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | wildfly | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
A flaw was found when an OpenSSL security provider is used with Wildfl ...
Inadequate Encryption Strength and Algorithm Downgrade in Wildfly
Уязвимость сервера приложений Wildfly, связанная с недостаточной обработкой исключительных состояний, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации
EPSS
7.4 High
CVSS3