Minerva vulnerability + patch
Ján Jančár
j08ny at mail.muni.cz
Thu Oct 17 08:49:54 UTC 2019
Hi all,
I saw that the CVE for this vulnerability was mentioned in the latest
critical patch update advisory as fixed:
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
And is now also public:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2894
However, the only change related to ECDSA I saw in the OpenJDK tree is this:
https://hg.openjdk.java.net/jdk/jdk/rev/d66bdf0e2dfe
8228825: Enhance ECDSA operations
Reviewed-by: mullan
Author: ascarpino
It basically disables support for binary field curves in the Java TLS/SSL server.
However, this does not fix the vulnerability:
- Any user of the SunEC library through JCA remains vulnerable.
- Any user of the Java TLS/SSL server that sets up the server to allow
and use binary field curves (through "jdk.tls.namedGroups" for example)
remains vulnerable.
A proper patch for this issue was posted earlier, with analysis of correctness
and passing tests.
Cheers,
Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20191017/d7270382/signature.asc>
More information about the security-dev
mailing list