Uploaded image for project: 'Debezium'
  1. Debezium
  2. DBZ-5854

Upgrade wildfly-elytron to 1.15.5 / 1.16.1 due to CVE-2021-3642

XMLWordPrintable

    • False
    • None
    • False

      A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

      CVE report

      What Debezium connector do you use and what version?

      Debezium Oracle connector 1.8.0 - future release, also previous releases could be affected

      Implementation ideas

      Upgrade:

      • infinispan-client-hotrod to 14.0.2.Final
      • infinispan-core to 14.0.2.Final

      Relevant part of the dependency tree:

      org.infinispan:infinispan-client-hotrod:jar:12.1.6.Final:compile
      +- org.wildfly.security:wildfly-elytron-sasl-digest:jar:1.15.1.Final:compile
      |  +- org.wildfly.security:wildfly-elytron-auth-server:jar:1.15.1.Final:compile
      |  |  +- org.wildfly.security:wildfly-elytron-auth:jar:1.15.1.Final:compile
      |  |  +- org.wildfly.security:wildfly-elytron-base:jar:1.15.1.Final:compile
      |  |  +- org.wildfly.security:wildfly-elytron-permission:jar:1.15.1.Final:compile
      |  |  \- org.wildfly.security:wildfly-elytron-x500:jar:1.15.1.Final:compile
      |  +- org.wildfly.security:wildfly-elytron-credential:jar:1.15.1.Final:compile
      |  |  +- org.wildfly.security:wildfly-elytron-keystore:jar:1.15.1.Final:compile
      |  |  \- org.wildfly.security:wildfly-elytron-provider-util:jar:1.15.1.Final:compile
      |  +- org.wildfly.security:wildfly-elytron-mechanism:jar:1.15.1.Final:compile
      |  |  \- org.wildfly.security:wildfly-elytron-http:jar:1.15.1.Final:compile
      |  +- org.wildfly.security:wildfly-elytron-mechanism-digest:jar:1.15.1.Final:compile
      |  +- org.wildfly.security:wildfly-elytron-sasl:jar:1.15.1.Final:compile
      |  |  \- org.wildfly.security:wildfly-elytron-ssl:jar:1.15.1.Final:compile
      |  \- org.wildfly.security:wildfly-elytron-util:jar:1.15.1.Final:compile
      +- org.wildfly.security:wildfly-elytron-sasl-external:jar:1.15.1.Final:compile
      +- org.wildfly.security:wildfly-elytron-sasl-gs2:jar:1.15.1.Final:compile
      |  +- org.wildfly.security:wildfly-elytron-asn1:jar:1.15.1.Final:compile
      |  +- org.wildfly.security:wildfly-elytron-mechanism-gssapi:jar:1.15.1.Final:compile
      |  \- org.wildfly.security:wildfly-elytron-security-manager-action:jar:1.15.1.Final:compile
      +- org.wildfly.security:wildfly-elytron-sasl-gssapi:jar:1.15.1.Final:compile
      +- org.wildfly.security:wildfly-elytron-sasl-oauth2:jar:1.15.1.Final:compile
      |  \- org.wildfly.security:wildfly-elytron-mechanism-oauth2:jar:1.15.1.Final:compile
      +- org.wildfly.security:wildfly-elytron-sasl-plain:jar:1.15.1.Final:compile
      +- org.wildfly.security:wildfly-elytron-sasl-scram:jar:1.15.1.Final:compile
      |  \- org.wildfly.security:wildfly-elytron-mechanism-scram:jar:1.15.1.Final:compile
      \- org.wildfly.security:wildfly-elytron-password-impl:jar:1.15.1.Final:compile

            Unassigned Unassigned
            egyed.t Tamas Egyed (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: