Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZqcW0tMjQ2Yy1td3Fn

In Bouncy Castle JCE Provider the other party DH public key is not fully validated

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.

Permalink: https://github.com/advisories/GHSA-fjqm-246c-mwqg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZqcW0tMjQ2Yy1td3Fn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 6 years ago
Updated: almost 2 years ago

CVSS Score: 3.7
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Percentage: 0.00327
EPSS Percentile: 0.70519

Identifiers: GHSA-fjqm-246c-mwqg, CVE-2016-1000346
References:

• https://nvd.nist.gov/vuln/detail/CVE-2016-1000346
• https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937
• https://access.redhat.com/errata/RHSA-2018:2669
• https://access.redhat.com/errata/RHSA-2018:2927
• https://github.com/advisories/GHSA-fjqm-246c-mwqg
• https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
• https://security.netapp.com/advisory/ntap-20181127-0004/
• https://usn.ubuntu.com/3727-1/
• https://www.oracle.com/security-alerts/cpuoct2020.html

Repository: https://github.com/bcgit/bc-java
Blast Radius: 11.1

Affected Packages