Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 1.15.15.Final, 1.20.3.Final, 2.1.0.Final
Affects Version/s: None
Component/s: None
Labels:
None

WildFly Elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. java.security.MessageDigest.isEqual should be used instead to compare values securely. An attacker could possibly use this vulnerability to access secure information or impersonate an authenticated user.

This issue will be handled via a bunch of sub-tasks.

depends on

ELY-2419 Update GeneralName to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2420 Update MaskedPasswordImpl to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2421 Update DigestPasswordImpl to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2422 Update SaltedSimpleDigestPasswordImpl to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2423 Update SimpleDigestPasswordImpl to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2424 Update ScramDigestPasswordImpl to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2425 Update SunUnixMD5CryptPasswordImpl to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2426 Update UnixMD5CryptPassworldImpl to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2427 Update EncryptablePasswordSpec to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2428 Update ClearPasswordImpl to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2429 Update RawClearPassword to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2430 Update AbstractX509CertificateChainCredential to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2431 Update X509EvidenceVerifier to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2432 Update RawSaltedSimpleDigestPassword to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2433 Update RawScramDigestPassword to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2434 Update UnixSHACryptPasswordImpl to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2435 Update RawDigestPassword to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2436 Update HashPasswordSpec to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2437 Update DigestPasswordSpec to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

ELY-2438 Update RawSimpleDigestPassword to make use of MessageDigest#isEqual to avoid a potential timing attack

Resolved

(15 depends on)

Assignee:: Farah Juma

Reporter:: Farah Juma

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2022/09/15 6:16 PM

Updated:: 2023/02/21 4:51 PM

Resolved:: 2023/02/21 4:51 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates