CVE-2014-0453
First published: Fri Apr 11 2014(Updated: )
It was discovered that the Security component in OpenJDK could leak some timing information when preforming PKCS#1 unpadding. This could possibly lead to disclosure of some information meant to be protected by encryption. This fix improves the fix for <a href="https://access.redhat.com/security/cve/CVE-2014-0411">CVE-2014-0411</a> (<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2014-0411 OpenJDK: TLS/SSL handshake timing issues (JSSE, 8023069)" href="show_bug.cgi?id=1053010">bug 1053010</a>) applied via via Oracle CPU January 2014.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/icedtea | <1.13.3 | 1.13.3 |
| redhat/icedtea | <2.4.7 | 2.4.7 |
| Oracle Java SE | =r27.8.1 | |
| Oracle Java SE | =r28.3.1 | |
| Ubuntu | =10.04 | |
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 | |
| Ubuntu | =13.10 | |
| Ubuntu | =14.04 | |
| Juniper Networks Junos Space | <15.1 | |
| Oracle OpenJDK 1.8.0 | =1.5.0-update61 | |
| Oracle OpenJDK 1.8.0 | =1.6.0-update71 | |
| Oracle OpenJDK 1.8.0 | =1.7.0-update51 | |
| Oracle OpenJDK 1.8.0 | =1.8.0 | |
| Oracle JRE | =1.5.0-update61 | |
| Oracle JRE | =1.6.0-update71 | |
| Oracle JRE | =1.7.0-update51 | |
| Oracle JRE | =1.8.0 | |
| Debian | =6.0 | |
| Debian | =7.0 | |
| Debian | =8.0 | |
| IBM Forms Viewer | >=4.0.0<4.0.0.3 | |
| IBM Forms Viewer | >=8.0.0<8.0.1.1 | |
| Microsoft Windows |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2014-0411
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1053010
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027214.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027222.html
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA
- https://rhn.redhat.com/errata/RHSA-2014-0407.html
- https://rhn.redhat.com/errata/RHSA-2014-0406.html
- https://rhn.redhat.com/errata/RHSA-2014-0408.html
- https://rhn.redhat.com/errata/RHSA-2014-0413.html
- https://rhn.redhat.com/errata/RHSA-2014-0412.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/48d5490a3067
- https://rhn.redhat.com/errata/RHSA-2014-0414.html
- https://rhn.redhat.com/errata/RHSA-2014-0486.html
- https://rhn.redhat.com/errata/RHSA-2014-0508.html
- https://rhn.redhat.com/errata/RHSA-2014-0509.html
- https://rhn.redhat.com/errata/RHSA-2014-0675.html
- https://rhn.redhat.com/errata/RHSA-2014-0685.html
- https://rhn.redhat.com/errata/RHSA-2014-0705.html
- https://rhn.redhat.com/errata/RHSA-2014-0982.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1086645
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698
- http://marc.info/?l=bugtraq&m=140852886808946&w=2
- http://marc.info/?l=bugtraq&m=140852974709252&w=2
- http://rhn.redhat.com/errata/RHSA-2014-0675.html
- http://rhn.redhat.com/errata/RHSA-2014-0685.html
- http://secunia.com/advisories/58415
- http://secunia.com/advisories/59022
- http://secunia.com/advisories/59023
- http://secunia.com/advisories/59071
- http://secunia.com/advisories/59082
- http://secunia.com/advisories/59104
- http://secunia.com/advisories/59194
- http://secunia.com/advisories/59250
- http://secunia.com/advisories/59255
- http://secunia.com/advisories/59307
- http://secunia.com/advisories/59324
- http://secunia.com/advisories/59436
- http://secunia.com/advisories/59438
- http://secunia.com/advisories/59653
- http://secunia.com/advisories/59675
- http://secunia.com/advisories/59722
- http://secunia.com/advisories/59733
- http://secunia.com/advisories/60003
- http://secunia.com/advisories/60111
- http://secunia.com/advisories/60117
- http://secunia.com/advisories/60498
- http://secunia.com/advisories/60574
- http://secunia.com/advisories/60580
- http://secunia.com/advisories/61050
- http://secunia.com/advisories/61264
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://security.gentoo.org/glsa/glsa-201502-12.xml
- http://www-01.ibm.com/support/docview.wss?uid=swg21672080
- http://www-01.ibm.com/support/docview.wss?uid=swg21673836
- http://www-01.ibm.com/support/docview.wss?uid=swg21674539
- http://www-01.ibm.com/support/docview.wss?uid=swg21675945
- http://www-01.ibm.com/support/docview.wss?uid=swg21676190
- http://www-01.ibm.com/support/docview.wss?uid=swg21676373
- http://www-01.ibm.com/support/docview.wss?uid=swg21676672
- http://www-01.ibm.com/support/docview.wss?uid=swg21676703
- http://www-01.ibm.com/support/docview.wss?uid=swg21677294
- http://www-01.ibm.com/support/docview.wss?uid=swg21678113
- http://www-01.ibm.com/support/docview.wss?uid=swg21679610
- http://www-01.ibm.com/support/docview.wss?uid=swg21679713
- http://www-01.ibm.com/support/docview.wss?uid=swg21680387
- http://www-01.ibm.com/support/docview.wss?uid=swg21680750
- http://www-01.ibm.com/support/docview.wss?uid=swg21681018
- http://www-01.ibm.com/support/docview.wss?uid=swg21681047
- http://www-01.ibm.com/support/docview.wss?uid=swg21681256
- http://www-01.ibm.com/support/docview.wss?uid=swg21683484
- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096132
- http://www.debian.org/security/2014/dsa-2912
- http://www.ibm.com/support/docview.wss?uid=swg21675343
- http://www.ibm.com/support/docview.wss?uid=swg21675588
- http://www.ibm.com/support/docview.wss?uid=swg21677387
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
- http://www.securityfocus.com/bid/66914
- http://www.ubuntu.com/usn/USN-2187-1
- http://www.ubuntu.com/usn/USN-2191-1
- https://access.redhat.com/errata/RHSA-2014:0413
- https://access.redhat.com/errata/RHSA-2014:0414
- https://www.ibm.com/support/docview.wss?uid=swg21674530
Frequently Asked Questions
What is the severity of CVE-2014-0453?
CVE-2014-0453 has been classified as a medium severity vulnerability due to potential information disclosure.
How do I fix CVE-2014-0453?
To fix CVE-2014-0453, you should update to the latest versions of the affected software, including IcedTea 1.13.3 or 2.4.7, or ensure that your Oracle JDK and JRE versions are updated as specified.
What software is affected by CVE-2014-0453?
CVE-2014-0453 affects various versions of OpenJDK, IcedTea, Oracle JDK, Oracle JRE, and specific Ubuntu and Debian distributions.
Can CVE-2014-0453 lead to any exploits?
Yes, CVE-2014-0453 could potentially allow an attacker to exploit timing information leaks to gain access to sensitive decrypted data.
What actions should I take if I am using vulnerable software for CVE-2014-0453?
If using vulnerable software for CVE-2014-0453, immediately implement the necessary updates and monitor systems for any unusual activity.
- agent/type
- agent/references
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-0453
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/oracle
- canonical/oracle java se
- version/oracle java se/r27.8.1
- version/oracle java se/r28.3.1
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/10.04
- version/ubuntu/12.04
- version/ubuntu/12.10
- version/ubuntu/13.10
- version/ubuntu/14.04
- vendor/juniper
- canonical/juniper networks junos space
- canonical/oracle openjdk 1.8.0
- version/oracle openjdk 1.8.0/1.5.0-update61
- version/oracle openjdk 1.8.0/1.6.0-update71
- version/oracle openjdk 1.8.0/1.7.0-update51
- version/oracle openjdk 1.8.0/1.8.0
- canonical/oracle jre
- version/oracle jre/1.5.0-update61
- version/oracle jre/1.6.0-update71
- version/oracle jre/1.7.0-update51
- version/oracle jre/1.8.0
- vendor/debian
- canonical/debian
- version/debian/6.0
- version/debian/7.0
- version/debian/8.0
- vendor/ibm
- canonical/ibm forms viewer
- version/ibm forms viewer/4.0.0
- version/ibm forms viewer/8.0.0
- vendor/microsoft
- canonical/microsoft windows