Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5Y2gtbTRmaC1mYzdx

Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.

Permalink: https://github.com/advisories/GHSA-r9ch-m4fh-fc7q
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5Y2gtbTRmaC1mYzdx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 6 years ago
Updated: almost 2 years ago

CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.00381
EPSS Percentile: 0.7267

Identifiers: GHSA-r9ch-m4fh-fc7q, CVE-2016-1000341
References:

• https://nvd.nist.gov/vuln/detail/CVE-2016-1000341
• https://github.com/bcgit/bc-java/commit/acaac81f96fec91ab45bd0412beaf9c3acd8defa#diff-e75226a9ca49217a7276b29242ec59ce
• https://access.redhat.com/errata/RHSA-2018:2669
• https://access.redhat.com/errata/RHSA-2018:2927
• https://github.com/advisories/GHSA-r9ch-m4fh-fc7q
• https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
• https://security.netapp.com/advisory/ntap-20181127-0004/
• https://usn.ubuntu.com/3727-1/
• https://www.oracle.com/security-alerts/cpuoct2020.html

Repository: https://github.com/bcgit/bc-java
Blast Radius: 17.7

Affected Packages