REDHAT-BUG-2015311
First published: Mon Oct 18 2021(Updated: )
It was discovered that the TLS implementation in the JSSE component of OpenJDK used non-constant comparisons when checking various data (such as session identifiers or verification data blocks) during TLS handshakes. A malicious TLS client could possibly use this flaw to recover that data by observing timing differences in processing of various inputs.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenJDK 17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixJAVA
- https://access.redhat.com/errata/RHSA-2021:3886
- https://access.redhat.com/errata/RHSA-2021:3884
- https://access.redhat.com/errata/RHSA-2021:3885
- https://access.redhat.com/errata/RHSA-2021:3893
- https://access.redhat.com/errata/RHSA-2021:3887
- https://access.redhat.com/errata/RHSA-2021:3891
- https://access.redhat.com/security/cve/cve-2021-35603
- https://access.redhat.com/errata/RHSA-2021:3889
- https://access.redhat.com/errata/RHSA-2021:3892
- https://access.redhat.com/errata/RHSA-2021:3960
- https://access.redhat.com/errata/RHSA-2021:3961
- https://access.redhat.com/errata/RHSA-2021:3967
- https://access.redhat.com/errata/RHSA-2021:3968
- https://github.com/openjdk/jdk11u-dev/commit/d5d203f9c5ae0979d60aa423c2a4409dd8ddcf1a
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/54441ec952f7
- https://access.redhat.com/errata/RHSA-2021:4135
- https://access.redhat.com/errata/RHSA-2021:4532
- https://access.redhat.com/errata/RHSA-2021:4531
- https://access.redhat.com/errata/RHSA-2022:0970
- https://access.redhat.com/errata/RHSA-2022:0969
- https://access.redhat.com/errata/RHSA-2022:0968
- https://bugzilla.redhat.com/show_bug.cgi?id=2015311
Frequently Asked Questions
What is the severity of REDHAT-BUG-2015311?
The severity of REDHAT-BUG-2015311 is rated as high due to potential data recovery by malicious TLS clients.
How do I fix REDHAT-BUG-2015311?
To fix REDHAT-BUG-2015311, update to the latest version of OpenJDK where this vulnerability has been patched.
What are the potential impacts of REDHAT-BUG-2015311?
The potential impacts of REDHAT-BUG-2015311 include exposure of sensitive data during TLS handshakes.
Which versions of OpenJDK are affected by REDHAT-BUG-2015311?
REDHAT-BUG-2015311 affects Oracle OpenJDK 17 and possibly other versions prior to the remediation.
Is there a workaround for REDHAT-BUG-2015311?
There is no known effective workaround for REDHAT-BUG-2015311 other than applying the recommended updates.
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-35603
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/openjdk 17