[MAVEN:GHSA-C8XF-M4FF-JCXJ] Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

Severity Moderate

Affected Packages 2

Fixed Packages 2

CVEs 1

In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.

Package	Affected Version
pkg:maven/org.bouncycastle/bcprov-jdk15	< 1.56
pkg:maven/org.bouncycastle/bcprov-jdk14	< 1.56

Package	Fixed Version
pkg:maven/org.bouncycastle/bcprov-jdk15	= 1.56
pkg:maven/org.bouncycastle/bcprov-jdk14	= 1.56

ID

MAVEN:GHSA-C8XF-M4FF-JCXJ

Severity

moderate

URL

https://github.com/advisories/GHSA-c8xf-m4ff-jcxj

Published

2018-10-17T16:23:38
(6 years ago)

Modified

2023-01-09T05:03:00
(20 months ago)

Rights

Maven Security Team

Other Advisories

USN-3727-1

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2016-1000339
			https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0
			https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2
			https://access.redhat.com/errata/RHSA-2018:2669
			https://access.redhat.com/errata/RHSA-2018:2927
			https://github.com/advisories/GHSA-c8xf-m4ff-jcxj
			https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
			https://security.netapp.com/advisory/ntap-20181127-0004/
			https://usn.ubuntu.com/3727-1/
			https://www.oracle.com/security-alerts/cpuoct2020.html

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.bouncycastle/bcprov-jdk15	org.bouncycastle	bcprov-jdk15	< 1.56
Fixed	pkg:maven/org.bouncycastle/bcprov-jdk15	org.bouncycastle	bcprov-jdk15	= 1.56
Affected	pkg:maven/org.bouncycastle/bcprov-jdk14	org.bouncycastle	bcprov-jdk14	< 1.56
Fixed	pkg:maven/org.bouncycastle/bcprov-jdk14	org.bouncycastle	bcprov-jdk14	= 1.56

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date