skip-tls
Bernd Eckenfels
ecki at zusammenkunft.net
Wed Mar 4 05:56:34 UTC 2015
Hello,
I just run across this work from a team of researchers on TLS protocol
fuzzing. One part of this article describes what CVE-2014-6593 is all
about.
https://www.smacktls.com/#skip
I must say, I had a brief look into this while checking the fixes in
the January CPU, but due to the rather low 4.0 CVSS scoring with the
"high access complexity" I did not really pay attention.
So let me quote the finding of the researchers and keep in mind, this
affects all of Java 5.0u75, 6u85, 7u72, 8u25 and older. (This
especially affects all public available Java 6 updates).
"A vulnerable JSSE client is then willing to accept the certificate and
start exchanging unencrypted application data. In other words, the JSSE
implementation of TLS has been providing virtually no security
guarantee (no authentication, no integrity, no confidentiality) for the
past several years."
I know here on the list are people which are not all developers of the
security components but care about java security, so I guess it is fine
to share that pointer here.
Gruss
Bernd
More information about the security-dev
mailing list