Downgrade Attack Vulnerability in Wildfly by Red Hat
CVE-2019-14887

7.4HIGH

Key Information:

Vendor
Red Hat
Status
Wildfly
Vendor
CVE Published:
16 March 2020

Summary

A vulnerability exists in Wildfly where the 'enabled-protocols' setting is ignored when an OpenSSL security provider is in use. This flaw allows an attacker to target and manipulate the traffic from Wildfly, leading to a possibility of downgrading the connection to a less secure TLS version. Consequently, the encryption may be compromised, exposing sensitive data traversing the network. The versions impacted by this vulnerability include Wildfly 7.2.0.GA, 7.2.3.GA, and 7.2.5.CR2, necessitating immediate remediation to safeguard against potential data leaks.

Affected Version(s)

wildfly 7.2.0.GA, 7.2.3.GA, 7.2.5.CR2

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887
x_refsource_CONFIRM
https://issues.redhat.com/browse/JBEAP-17965
x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20200327-0007/
x_refsource_CONFIRM

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.