CVE-2016-1000341

CWE-361CWE-38511 documents8 sources
Severity
5.9MEDIUM
EPSS
0.8%
top 25.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Bouncycastle Bc-javaDebian Debian Linux
Timeline
PublishedJun 4
Latest updateOct 17

Description

In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

Debianbouncycastle< 1.56-1+3

Also affects: Debian Linux 8.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk152018-10-17
GHSA
Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk152018-10-17
CVEList
CVE-2016-1000341: In the Bouncy Castle JCE Provider version 12018-06-04
OSV
CVE-2016-1000341: In the Bouncy Castle JCE Provider version 12018-06-04

📋Vendor Advisories

3
Ubuntu
Bouncy Castle vulnerabilities2018-08-01
Red Hat
bouncycastle: Information exposure in DSA signature generation via timing attack2018-06-07
Debian
CVE-2016-1000341: bouncycastle - In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generat...2016

💬Community

3
Bugzilla
CVE-2016-1000341 bouncycastle: Information exposure in DSA signature generation via timing attack [fedora-all]2018-06-07
Bugzilla
CVE-2016-1000341 bouncycastle: Information exposure in DSA signature generation via timing attack2018-06-07
Bugzilla
CVE-2016-1000341 bouncycastle: Information exposure in DSA signature generation via timing attack [epel-all]2018-06-07
CVE-2016-1000341 (MEDIUM CVSS 5.9) | In the Bouncy Castle JCE Provider v | cvebase.io