[jboss-jira] [JBoss JIRA] (WFLY-12834) CVE-2019-14887 The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
Farah Juma (Jira)
issues at jboss.org
Wed Apr 8 10:16:15 EDT 2020
[ https://issues.redhat.com/browse/WFLY-12834?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Farah Juma updated WFLY-12834:
------------------------------
Git Pull Request: https://github.com/wildfly/wildfly/pull/13152, https://github.com/wildfly/wildfly/pull/13190 (was: https://github.com/wildfly/wildfly/pull/13152)
> CVE-2019-14887 The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-12834
> URL: https://issues.redhat.com/browse/WFLY-12834
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Kunjan Rathod
> Assignee: Farah Juma
> Priority: Major
> Fix For: 20.0.0.Beta1
>
>
> Security Issue
> Do not make this issue public.
> The 'enabled-protocols' attribute in legacy security seems not to be working if 'openssl.TLS' provider is in use. If regular JSSE provider with 'TLS' value is in use, it is working just fine, although not in case 'openssl.TLS'. See more info in reproduction steps.
> NOTE as described in WFCORE-4737 comment, this is a possible security issue as an attacker can simply persuade server to communicate with him via lower TLS version than which is specified in server configuration! This is currently also a reason why this is marked as blocker now.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list