-
Bug
-
Resolution: Done
-
Major
-
None
-
None
-
None
iming Attack
critical severity
Manifest file: /home/jdg/rhdg-python-scripts/release-jdg-8.5.x/JDG-8.5.4.CD20250508/infinispan › graalvm/client-hotrod/pom.xml
Package Manager: maven
Vulnerable module: org.graalvm.sdk:graal-sdk
Introduced through: org.infinispan:infinispan-client-hotrod-graalvm@15.0.15.Final and org.graalvm.sdk:graal-sdk@23.1.6
Detailed paths
Introduced through: org.infinispan:infinispan-client-hotrod-graalvm@15.0.15.Final › org.graalvm.sdk:graal-sdk@23.1.6
Introduced through: org.infinispan:infinispan-commons-graalvm@15.0.15.Final › org.graalvm.sdk:graal-sdk@23.1.6
Introduced through: org.infinispan:infinispan-core-graalvm@15.0.15.Final › org.graalvm.sdk:graal-sdk@23.1.6
Introduced through: org.infinispan:infinispan-quarkus-cli@15.0.15.Final › org.graalvm.sdk:graal-sdk@23.1.6
Introduced through: org.infinispan:infinispan-quarkus-embedded@15.0.15.Final › org.graalvm.sdk:graal-sdk@23.1.6
Introduced through: org.infinispan:infinispan-quarkus-integration-test-cli@15.0.15.Final › org.infinispan:infinispan-quarkus-cli@15.0.15.Final › org.graalvm.sdk:graal-sdk@23.1.6
Introduced through: org.infinispan:infinispan-quarkus-server@15.0.15.Final › org.graalvm.sdk:graal-sdk@23.1.6
Overview
org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.
Affected versions of this package are vulnerable to Timing Attack in security-libs/javax.net.ssl that exposes information from a TLS handshake via side channel.
Remediation
Upgrade org.graalvm.sdk:graal-sdk to version 17.0.15, 21.0.7, 24.0.1 or higher.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2359695
