CVE-2014-4244
First published: Mon Jul 14 2014(Updated: )
It was discovered that the RSA algorithm in the OpenJDK Security component did not sufficiently preform "blinding" while performing operations using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the keys used.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK 6 | =1.5.0-update65 | |
| Oracle JDK 6 | =1.6.0-update75 | |
| Oracle JDK 6 | =1.7.0-update60 | |
| Oracle JDK 6 | =1.8.0-update5 | |
| Oracle Java Runtime Environment (JRE) | =1.5.0-update65 | |
| Oracle Java Runtime Environment (JRE) | =1.6.0-update75 | |
| Oracle Java Runtime Environment (JRE) | =1.7.0-update60 | |
| Oracle Java Runtime Environment (JRE) | =1.8.0-update5 | |
| BEA JRockit | =r27.8.2 | |
| BEA JRockit | =r28.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00033.html
- http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00036.html
- http://marc.info/?l=bugtraq&m=140852886808946&w=2
- http://marc.info/?l=bugtraq&m=140852974709252&w=2
- http://rhn.redhat.com/errata/RHSA-2015-0264.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://secunia.com/advisories/58830
- http://secunia.com/advisories/59404
- http://secunia.com/advisories/59503
- http://secunia.com/advisories/59680
- http://secunia.com/advisories/59924
- http://secunia.com/advisories/59985
- http://secunia.com/advisories/59986
- http://secunia.com/advisories/59987
- http://secunia.com/advisories/60002
- http://secunia.com/advisories/60031
- http://secunia.com/advisories/60032
- http://secunia.com/advisories/60081
- http://secunia.com/advisories/60129
- http://secunia.com/advisories/60245
- http://secunia.com/advisories/60317
- http://secunia.com/advisories/60326
- http://secunia.com/advisories/60335
- http://secunia.com/advisories/60485
- http://secunia.com/advisories/60497
- http://secunia.com/advisories/60622
- http://secunia.com/advisories/60812
- http://secunia.com/advisories/60817
- http://secunia.com/advisories/60831
- http://secunia.com/advisories/60846
- http://secunia.com/advisories/60890
- http://secunia.com/advisories/61050
- http://secunia.com/advisories/61215
- http://secunia.com/advisories/61254
- http://secunia.com/advisories/61264
- http://secunia.com/advisories/61278
- http://secunia.com/advisories/61293
- http://secunia.com/advisories/61294
- http://secunia.com/advisories/61417
- http://secunia.com/advisories/61469
- http://secunia.com/advisories/61577
- http://secunia.com/advisories/61640
- http://secunia.com/advisories/61846
- http://secunia.com/advisories/62314
- http://security.gentoo.org/glsa/glsa-201502-12.xml
- http://www-01.ibm.com/support/docview.wss?uid=swg21680334
- http://www-01.ibm.com/support/docview.wss?uid=swg21681379
- http://www-01.ibm.com/support/docview.wss?uid=swg21681966
- http://www-01.ibm.com/support/docview.wss?uid=swg21683338
- http://www-01.ibm.com/support/docview.wss?uid=swg21683429
- http://www-01.ibm.com/support/docview.wss?uid=swg21683438
- http://www-01.ibm.com/support/docview.wss?uid=swg21683484
- http://www-01.ibm.com/support/docview.wss?uid=swg21685121
- http://www-01.ibm.com/support/docview.wss?uid=swg21685122
- http://www-01.ibm.com/support/docview.wss?uid=swg21685178
- http://www-01.ibm.com/support/docview.wss?uid=swg21685242
- http://www-01.ibm.com/support/docview.wss?uid=swg21686142
- http://www-01.ibm.com/support/docview.wss?uid=swg21686383
- http://www-01.ibm.com/support/docview.wss?uid=swg21686824
- http://www-01.ibm.com/support/docview.wss?uid=swg21688893
- http://www-01.ibm.com/support/docview.wss?uid=swg21689593
- http://www.debian.org/security/2014/dsa-2980
- http://www.debian.org/security/2014/dsa-2987
- http://www.ibm.com/support/docview.wss?uid=swg21683518
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://www.securityfocus.com/bid/68624
- http://www.securitytracker.com/id/1030577
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- https://access.redhat.com/errata/RHSA-2014:0902
- https://access.redhat.com/errata/RHSA-2014:0908
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94605
- https://kc.mcafee.com/corporate/index?page=content&id=SB10083
- https://www.ibm.com/support/docview.wss?uid=swg21680418
- https://rhn.redhat.com/errata/RHSA-2014-0890.html
- https://rhn.redhat.com/errata/RHSA-2014-0889.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-July/028550.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-July/028584.html
- http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/aa2b20532c67
- http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/3a2c7340f7de
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA
- https://rhn.redhat.com/errata/RHSA-2014-0902.html
- https://rhn.redhat.com/errata/RHSA-2014-0908.html
- https://rhn.redhat.com/errata/RHSA-2014-0907.html
- https://rhn.redhat.com/errata/RHSA-2014-1033.html
- https://rhn.redhat.com/errata/RHSA-2014-1036.html
- https://rhn.redhat.com/errata/RHSA-2014-1042.html
- https://rhn.redhat.com/errata/RHSA-2014-1041.html
- https://rhn.redhat.com/errata/RHSA-2015-0264.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1119475
Frequently Asked Questions
What is the severity of CVE-2014-4244?
CVE-2014-4244 is considered a high severity vulnerability due to its potential to expose sensitive private key information.
How do I fix CVE-2014-4244?
To fix CVE-2014-4244, update your version of the Oracle JDK or JRE to the latest patched release.
Which versions of software are affected by CVE-2014-4244?
CVE-2014-4244 affects Oracle JDK 1.5.0-update65, 1.6.0-update75, 1.7.0-update60, and 1.8.0-update5, as well as corresponding JRE and BEA JRockit versions.
What type of attack does CVE-2014-4244 enable?
CVE-2014-4244 potentially allows an attacker to exploit timing differences in RSA private key operations to leak key information.
Is there a known exploit for CVE-2014-4244?
As of now, there are no publicly known exploits specifically targeting CVE-2014-4244, but the vulnerability itself poses a risk.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-4244
- agent/author
- agent/severity
- agent/references
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.5.0-update65
- version/oracle jdk 6/1.6.0-update75
- version/oracle jdk 6/1.7.0-update60
- version/oracle jdk 6/1.8.0-update5
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.5.0-update65
- version/oracle java runtime environment (jre)/1.6.0-update75
- version/oracle java runtime environment (jre)/1.7.0-update60
- version/oracle java runtime environment (jre)/1.8.0-update5
- canonical/bea jrockit
- version/bea jrockit/r27.8.2
- version/bea jrockit/r28.3.2