First published: Tue Sep 06 2022(Updated: )
A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/wildfly-elytron | <1.15.15 | 1.15.15 |
redhat/wildfly-elytron | <1.20.3 | 1.20.3 |
redhat/eap7-wildfly-elytron | <0:1.15.16-1.Final_redhat_00001.1.el8ea | 0:1.15.16-1.Final_redhat_00001.1.el8ea |
redhat/eap7-wildfly-elytron | <0:1.15.16-1.Final_redhat_00001.1.el9ea | 0:1.15.16-1.Final_redhat_00001.1.el9ea |
redhat/eap7-wildfly-elytron | <0:1.15.16-1.Final_redhat_00001.1.el7ea | 0:1.15.16-1.Final_redhat_00001.1.el7ea |
Redhat Wildfly Elytron | =1.15.15 | |
Redhat Jboss Enterprise Application Platform | =7.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-3143 is a vulnerability found in Wildfly-elytron that allows for timing attacks via the use of unsafe comparator.
Wildfly-elytron can be exploited through timing attacks using java.util.Arrays.equals.
Yes, the recommended fix for Wildfly-elytron is to upgrade to version 1.15.15 or higher.
You can find more information about CVE-2022-3143 in the Red Hat security advisory RHSA-2023:0553.
The severity of CVE-2022-3143 is high with a CVSS score of 7.4.