[jboss-jira] [JBoss JIRA] (JGRP-1487) X509Token Authentication is vulnerable to replay attacks
RH Bugzilla Integration (JIRA)
jira-events at lists.jboss.org
Tue Oct 22 07:52:02 EDT 2013
[ https://issues.jboss.org/browse/JGRP-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12823942#comment-12823942 ]
RH Bugzilla Integration commented on JGRP-1487:
-----------------------------------------------
Martin Gencur <mgencur at redhat.com> made a comment on [bug 1021952|https://bugzilla.redhat.com/show_bug.cgi?id=1021952]
See description of the bug in linked JIRA.
> X509Token Authentication is vulnerable to replay attacks
> --------------------------------------------------------
>
> Key: JGRP-1487
> URL: https://issues.jboss.org/browse/JGRP-1487
> Project: JGroups
> Issue Type: Bug
> Affects Versions: 3.0.9
> Reporter: sreenivas chinimilli
> Assignee: Bela Ban
> Fix For: Future
>
>
> In the implementation of X509Token Authentication
> The auth_value is enrypted with the certificate within the keystore and
> during verification encrypted auth value is decrypted with the private key
> compared against the orignial auth value.
> This implementation is prone to replay attacks, that is
> any user with out having any knowledge of the auth value can join the group
> by replaying the enrypted auth value captured in earlier sessions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list