There’s one place in https://github.com/wildfly-security/wildfly-elytron/blob/1.x/credential/base/src/main/java/org/wildfly/security/password/interfaces/RawClearPassword.java where Arrays#equals is currently used to compare byte arrays.

Arrays#equals is vulnerable to timing attacks because it uses a non time-constant comparison.

MessageDigest#isEqual uses a time-constant comparison which means that all bytes in the arrays will be compared.

Update RawClearPassword so that it uses the MessageDigest#isEqual method instead of Arrays#equals to compare the byte arrays.