|
@ic0nz1 | |||||
|
CVE-2020-2655: TLS/DTLS client authentication bypass in Java 11 & 13 (JSSE) Details & PoC web-in-security.blogspot.com/2020/01/cve-20… pic.twitter.com/pL0JoMPMnB
|
||||||
|
||||||
|
Robert Merget
@ic0nz1
|
20. sij |
|
|
||
|
|
||
|
Zeev Tarantov
@ZTarantov
|
20. sij |
|
So seems I was right in twitter.com/ZTarantov/stat… and is the conclusion that JSSE is garbage or that TLS client should not be used?
|
||
|
|
||
|
Robert Merget
@ic0nz1
|
20. sij |
|
I think it just needs more eyes on it.
|
||
|
|
||
|
Cord
@Cord__
|
21. sij |
|
thank you. If I have TLS terminated on an Offloader-Webserver (Apache/Nginx) in front of my Java-App then I should be unaffected?
|
||
|
|
||
|
Robert Merget
@ic0nz1
|
21. sij |
|
If the server is not reachable for a potential attacker you should be fine. I still recommend patching though.
|
||
|
|
||