1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-R97X-3G8F-GX3M

[MAVEN:GHSA-R97X-3G8F-GX3M] The Bouncy Castle JCE Provider carry a propagation bug

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.

Package Affected Version
pkg:maven/org.bouncycastle/bcprov-jdk15 >= 1.51, < 1.56
pkg:maven/org.bouncycastle/bcprov-jdk14 >= 1.51, < 1.56
Package Fixed Version
pkg:maven/org.bouncycastle/bcprov-jdk15 = 1.56
pkg:maven/org.bouncycastle/bcprov-jdk14 = 1.56
ID
MAVEN:GHSA-R97X-3G8F-GX3M
Severity
high
URL
https://github.com/advisories/GHSA-r97x-3g8f-gx3m
Published
2018-10-17T16:23:50
(6 years ago)
Modified
2023-01-09T05:03:22
(20 months ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.bouncycastle/bcprov-jdk15 org.bouncycastle bcprov-jdk15 >= 1.51 < 1.56
Fixed pkg:maven/org.bouncycastle/bcprov-jdk15 org.bouncycastle bcprov-jdk15 = 1.56
Affected pkg:maven/org.bouncycastle/bcprov-jdk14 org.bouncycastle bcprov-jdk14 >= 1.51 < 1.56
Fixed pkg:maven/org.bouncycastle/bcprov-jdk14 org.bouncycastle bcprov-jdk14 = 1.56
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date