Main Vulnerability Database Vulnerabilities #VU13587

#VU13587 Cryptographic issues in The Bouncy Castle Crypto Package For Java - CVE-2016-1000339

Published: July 5, 2018

Vulnerability identifier: #VU13587

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-1000339

CWE-ID: CWE-310

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
The Bouncy Castle Crypto Package For Java

Software vendor:
Legion of the Bouncy Castle Inc.

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability is present in Bouncy Castle JCE Provider due to usage of AESFastEngine that does not provide the sufficient level of secrecy and is prone to side-channel attacks.

Remediation

Install updates from vendor's website.

External links

https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b...
https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02a...

#VU13587 Cryptographic issues in The Bouncy Castle Crypto Package For Java - CVE-2016-1000339

Description

Remediation

External links

Please verify you're human