|Number of vulnerabilities||1|
|Exploitation vector||Local network|
The Bouncy Castle Crypto Package For Java
Universal components / Libraries / Libraries used by multiple products
|Vendor||Legion of the Bouncy Castle Inc.|
This security bulletin contains one low risk vulnerability.
The vulnerability allows a remote attacker to bypass signature validation process.
The JCE Provider in Bouncy Castle does not fully validate ASN.1 encoding of signature on verification within ECDSA implementation. A remote attacker can inject extra elements in the sequence making up the signature, which will be considered valid allowing an attacker to add extra data into a signed structure.
Install updates from vendor's website.Vulnerable software versions
The Bouncy Castle Crypto Package For Java: 1.41 - 1.55Fixed software versions
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?