[jboss-jira] [JBoss JIRA] (WFCORE-4737) CVE-2019-14887 The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
Farah Juma (Jira)
issues at jboss.org
Fri Mar 27 13:25:44 EDT 2020
[ https://issues.redhat.com/browse/WFCORE-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Farah Juma updated WFCORE-4737:
-------------------------------
Security: (was: Security Issue)
> CVE-2019-14887 The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-4737
> URL: https://issues.redhat.com/browse/WFCORE-4737
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 10.0.0.Final
> Environment: {code}
> $ java -version
> openjdk version "1.8.0_222"
> OpenJDK Runtime Environment (build 1.8.0_222-b10)
> OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode)
> $ openssl version
> OpenSSL 1.1.1d FIPS 10 Sep 2019
> $ uname -r
> 5.3.6-200.fc30.x86_64
> {code}
> Note, I can see same behaviour also with JDK-11:
> {code}
> $ java -version
> java version "11.0.1" 2018-10-16 LTS
> Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS)
> Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode)
> {code}
> Reporter: Jan Stourac
> Assignee: Farah Juma
> Priority: Major
> Fix For: 12.0.0.Beta1
>
>
> The 'enabled-protocols' attribute in legacy security seems not to be working if 'openssl.TLS' provider is in use. If regular JSSE provider with 'TLS' value is in use, it is working just fine, although not in case 'openssl.TLS'. See more info in reproduction steps.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list