Minerva vulnerability + patch

Ján Jančár j08ny at mail.muni.cz
Thu Oct 17 08:49:54 UTC 2019


Hi all,
I saw that the CVE for this vulnerability was mentioned in the latest
critical patch update advisory as fixed:

  https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

And is now also public:

  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2894

However, the only change related to ECDSA I saw in the OpenJDK tree is this:

  https://hg.openjdk.java.net/jdk/jdk/rev/d66bdf0e2dfe
  8228825: Enhance ECDSA operations
  Reviewed-by: mullan
  Author: ascarpino

It basically disables support for binary field curves in the Java TLS/SSL server.
However, this does not fix the vulnerability:

 - Any user of the SunEC library through JCA remains vulnerable.
 - Any user of the Java TLS/SSL server that sets up the server to allow
   and use binary field curves (through "jdk.tls.namedGroups" for example)
   remains vulnerable.

A proper patch for this issue was posted earlier, with analysis of correctness
and passing tests.

Cheers,
Jan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20191017/d7270382/signature.asc>


More information about the security-dev mailing list