{ "threat_severity" : "Moderate", "public_date" : "2017-02-20T00:00:00Z", "bugzilla" : { "description" : "jasypt: Vulnerable to timing attack against the password hash comparison", "id" : "1455566", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1455566" }, "cvss3" : { "cvss3_base_score" : "5.1", "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-385", "details" : [ "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison." ], "affected_release" : [ { "product_name" : "Red Hat Data Grid 7.1.2", "release_date" : "2018-02-12T00:00:00Z", "advisory" : "RHSA-2018:0294", "cpe" : "cpe:/a:redhat:jboss_data_grid:7.1" }, { "product_name" : "Red Hat JBoss BPMS 6.4", "release_date" : "2017-08-29T00:00:00Z", "advisory" : "RHSA-2017:2546", "cpe" : "cpe:/a:redhat:jboss_bpms:6.4", "package" : "jasypt" }, { "product_name" : "Red Hat JBoss BRMS 6.4", "release_date" : "2017-08-29T00:00:00Z", "advisory" : "RHSA-2017:2547", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4", "package" : "jasypt" }, { "product_name" : "Red Hat JBoss EAP 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2810", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2809", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2811", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package" : "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7", "release_date" : "2017-09-26T00:00:00Z", "advisory" : "RHSA-2017:2811", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", "package" : "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7" }, { "product_name" : "Red Hat Single Sign-On 7.1", "release_date" : "2017-10-17T00:00:00Z", "advisory" : "RHSA-2017:2906", "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.1" }, { "product_name" : "Red Hat Single Sign-On 7.1 for RHEL 6", "release_date" : "2017-10-17T00:00:00Z", "advisory" : "RHSA-2017:2904", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el6", "package" : "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6" }, { "product_name" : "Red Hat Single Sign-On 7.1 for RHEL 7", "release_date" : "2017-10-17T00:00:00Z", "advisory" : "RHSA-2017:2905", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el7", "package" : "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2017-11-07T00:00:00Z", "advisory" : "RHSA-2017:3141", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "rhvm-appliance-0:20171102.0-1" } ], "package_state" : [ { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Not affected", "package_name" : "jasypt", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Will not fix", "package_name" : "jasypt", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Affected", "package_name" : "jasypt", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "jasypt", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Will not fix", "package_name" : "jasypt", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Enterprise 2", "fix_state" : "Under investigation", "package_name" : "jasypt", "cpe" : "cpe:/a:redhat:openshift:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-9970\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-9970" ], "name" : "CVE-2014-9970", "csaw" : false }