#VU55035 Information Exposure Through Timing Discrepancy in The Bouncy Castle Crypto Package For Java - CVE-2020-15522
Published: July 20, 2021
Vulnerability identifier: #VU55035
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-15522
CWE-ID: CWE-208
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
The Bouncy Castle Crypto Package For Java
The Bouncy Castle Crypto Package For Java
Software vendor:
Legion of the Bouncy Castle Inc.
Legion of the Bouncy Castle Inc.
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The
vulnerability exists due to a timing issue within the EC math library. A remote attacker who can observe timing information for the generation of multiple deterministic ECDSA signatures is able to reconstruct the private key used for encryption.
Remediation
Install updates from vendor's website.