CVE-2022-3143 - Vulnerability Details

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Jboss Enterprise Application Platform Jboss Enterprise Bpms Platform Wildfly Elytron

Configuration 1 [-]

cpe:2.3:a:redhat:wildfly_elytron:1.15.15:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat JBoss Enterprise Application Platform 7
wildfly-elytron	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2023:0556	2023-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2023:0553	2023-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2023:0554	2023-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2023:0552	2023-01-31T00:00:00Z
RHPAM 7.13.4 async
	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2023:4983	2023-09-05T00:00:00Z

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2022-3143
https://nvd.nist.gov/vuln/detail/CVE-2022-3143
https://www.cve.org/CVERecord?id=CVE-2022-3143

History

Wed, 09 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-01-11T20:57:29.342Z

Updated: 2025-04-09T13:46:25.564Z

Reserved: 2022-09-06T19:26:59.538Z

Link: CVE-2022-3143

Vulnrichment

Updated: 2024-08-03T01:00:10.516Z

NVD

Status : Modified

Published: 2023-01-13T06:15:11.080

Modified: 2025-04-09T14:15:23.850

Link: CVE-2022-3143

Redhat

Severity : Moderate

Publid Date: 2022-09-06T00:00:00Z

Links: CVE-2022-3143 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object