Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlncDQtcXJmZi1jNjQ4

Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.

Permalink: https://github.com/advisories/GHSA-9gp4-qrff-c648
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlncDQtcXJmZi1jNjQ4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 6 years ago
Updated: almost 2 years ago

CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.00381
EPSS Percentile: 0.7267

Identifiers: GHSA-9gp4-qrff-c648, CVE-2016-1000345
References:

• https://nvd.nist.gov/vuln/detail/CVE-2016-1000345
• https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35#diff-4439ce586bf9a13bfec05c0d113b8098
• https://access.redhat.com/errata/RHSA-2018:2669
• https://access.redhat.com/errata/RHSA-2018:2927
• https://github.com/advisories/GHSA-9gp4-qrff-c648
• https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
• https://security.netapp.com/advisory/ntap-20181127-0004/
• https://usn.ubuntu.com/3727-1/
• https://www.oracle.com/security-alerts/cpuoct2020.html

Repository: https://github.com/bcgit/bc-java
Blast Radius: 17.7

Affected Packages