0 Replies Latest reply on Mar 14, 2015 11:51 AM by sivasankar1631

    JBoss implementation of TLS 1.x padding vulnerability CVE-2014-8730

    sivasankar1631

      Hi all,

      Is the implementation of TLS by JBoss affected by "CVE-2014-8730 TLS 1.x padding vulnerability"?

      I am using JBoss AS 7 for Windows in my application which with JDK 6. We are not sure that our product is vulnerable to TLS 1.x padding or not.

      Please see the following links for more details about this vulnerability:

      http://www.computerworld.com.au/article/561828/poodle-flaw-returns-time-hitting-tls-security-protocol/?twitterID=nixCraft

      https://www.imperialviolet.org/2014/12/08/poodleagain.html

      https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

      https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html

      https://www.a10networks.com/support/advisories/A10-RapidResponse_CVE-2014-8730.pdf

      https://devcentral.f5.com/articles/cve-2014-8730-padding-issue-8151


      Is there any confirmation from JBoss that native JSEE and OpenSSL impementation of TLS  is not affected by this vulnerability?

      I appreciate for your help in this regard.

      Thanks,

      Sivasankar