Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jgit-dev] Security Vulnerability - Action Required: “Cryptographic Issues” vulnerability in some versions of org.eclipse.jgit:org.eclipse.jgit
On Tue, Nov 14, 2023 at 2:54 PM James Watt via jgit-dev <jgit-dev@xxxxxxxxxxx> wrote:

Hi there,

I think the method org.eclipse.jgit.transport.http.JDKHttpConnection.configure may have an “Cryptographic Issues”vulnerability which is vulnerable in org.eclipse.jgit:org.eclipse.jgit in the versions of 3.3.0.201403021825-r——3.3.2.201404171909-r;3.4.0.201405051725-m7——3.4.2.201412180340-r;3.5.0.201409071800-rc1——3.5.1.201410131835-r. It shares similarities to a recent CVE disclosure CVE-2014-3566 in the project "terabyte/jgit"

The source vulnerability information is as follows:  

Vulnerability Detail:

CVE Identifier: CVE-2014-3566 

Description: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Reference:  https://nvd.nist.gov/vuln/detail/CVE-2014-3566

Patchhttps://github.com/terabyte/jgit/commit/3e131a35e3166f1615611b4df30b1772812b6016
Vulnerability Description: In the vulnerable code, the SSLContext is initialized with the "SSL" protocol, which refers to SSL 3.0. This protocol version is susceptible to the POODLE attack because of the non-deterministic CBC padding. By intercepting and manipulating the encrypted traffic, a man-in-the-middle attacker can exploit the padding oracle vulnerability to decrypt sensitive information. The patch in "terabyte/jgit" project addresses the vulnerability by updating the protocol used in the SSLContext initialization. Instead of "SSL," it uses "TLS," which stands for Transport Layer Security. TLS provides more secure cryptographic algorithms and avoids the non-deterministic CBC padding vulnerability present in SSL 3.0. By switching to the TLS protocol, the patch mitigates the POODLE vulnerability. May be you need to fix it using  terabyte/jgit's patch.

    Considering the potential risks it may have, I am willing to cooperate with you to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me. Thank you and look forward to hearing from you soon.


Best regards,

Yiheng Cao


Thanks for your report,

I think these 9 year old versions are only of interest to Archaeologists.
They have not been maintained anymore for a long time.

This was fixed in 2014 by configuring TLS explicitly
and is available from v3.5.2.201411120430-r. The latest release is v6.7.0.202309050840-r.

Next time report a security issue following

-Matthias 

Back to the top