CVE-2019-14887

Advisory lineage Upstream: 0 Downstream: 7
Modified
Published: 16 Mar 2020, 14:48
Last modified:05 Aug 2024, 00:26

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.1 CRITICAL
v3.1 (nvd)
EPSS Score
0.23% LOW
0% probability +0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

16 Mar 2020, 14:48
Published
Vulnerability first disclosed
05 Aug 2024, 00:26
Last Modified
Vulnerability information updated

Description

A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.

CVSS Metrics

  • v3.1CRITICALScore: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • v3.0HIGHScore: 7.4CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
  • v2.0MEDIUMScore: 6.4AV:N/AC:L/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 0.23% Percentile: 46%

Techniques & Countermeasures

  • CWE-757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

    A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

Affected Systems

  • red hatwildfly

    7.2.0.GA, 7.2.3.GA, 7.2.5.CR2

  • redhatjboss_data_grid

    7.0.0

  • redhatjboss_enterprise_application_platform

    7.0.0

  • redhatjboss_fuse

    7.0.0

  • redhatopenshift_application_runtimes

    na

  • redhatsingle_sign-on

    7.0

  • redhatwildfly

    7.2.0:general_availability | 7.2.3:general_availability | 7.2.5:cr2

References (3)