Package        : bouncycastle
Version        : 1.49+dfsg-3+deb8u3
CVE ID         : CVE-2016-1000338 CVE-2016-1000339 CVE-2016-1000341
                 CVE-2016-1000342 CVE-2016-1000343 CVE-2016-1000345
                 CVE-2016-1000346

Several security vulnerabilities were found in Bouncy
Castle, a Java implementation of cryptographic algorithms.

CVE-2016-1000338
    DSA does not fully validate ASN.1 encoding of signature on
    verification. It is possible to inject extra elements in the
    sequence making up the signature and still have it validate, which
    in some cases may allow the introduction of 'invisible' data into a
    signed structure.

CVE-2016-1000339
    Previously the primary engine class used for AES was AESFastEngine.
    Due to the highly table driven approach used in the algorithm it
    turns out that if the data channel on the CPU can be monitored the
    lookup table accesses are sufficient to leak information on the AES
    key being used. There was also a leak in AESEngine although it was
    substantially less. AESEngine has been modified to remove any signs
    of leakage and is now the primary AES class for the BC JCE provider.
    Use of AESFastEngine is now only recommended where otherwise deemed
    appropriate.

CVE-2016-1000341
    DSA signature generation is vulnerable to timing attack. Where
    timings can be closely observed for the generation of signatures,
    the lack of blinding may allow an attacker to gain information about
    the signature's k value and ultimately the private value as well.

CVE-2016-1000342
    ECDSA does not fully validate ASN.1 encoding of signature on
    verification. It is possible to inject extra elements in the
    sequence making up the signature and still have it validate, which
    in some cases may allow the introduction of 'invisible' data into a
    signed structure.

CVE-2016-1000343
    The DSA key pair generator generates a weak private key if used with
    default values. If the JCA key pair generator is not explicitly
    initialised with DSA parameters, 1.55 and earlier generates a
    private value assuming a 1024 bit key size. In earlier releases this
    can be dealt with by explicitly passing parameters to the key pair
    generator.

CVE-2016-1000345
    The DHIES/ECIES CBC mode is vulnerable to padding oracle attack. In
    an environment where timings can be easily observed, it is possible
    with enough observations to identify when the decryption is failing
    due to padding.

CVE-2016-1000346
    In the Bouncy Castle JCE Provider the other party DH public key is
    not fully validated. This can cause issues as invalid keys can be
    used to reveal details about the other party's private key where
    static Diffie-Hellman is in use. As of this release the key
    parameters are checked on agreement calculation.

For Debian 8 "Jessie", these problems have been fixed in version
1.49+dfsg-3+deb8u3.

We recommend that you upgrade your bouncycastle packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-1418-1: bouncycastle security update

July 7, 2018
Several security vulnerabilities were found in Bouncy Castle, a Java implementation of cryptographic algorithms

Summary

CVE-2016-1000339
Previously the primary engine class used for AES was AESFastEngine.
Due to the highly table driven approach used in the algorithm it
turns out that if the data channel on the CPU can be monitored the
lookup table accesses are sufficient to leak information on the AES
key being used. There was also a leak in AESEngine although it was
substantially less. AESEngine has been modified to remove any signs
of leakage and is now the primary AES class for the BC JCE provider.
Use of AESFastEngine is now only recommended where otherwise deemed
appropriate.

CVE-2016-1000341
DSA signature generation is vulnerable to timing attack. Where
timings can be closely observed for the generation of signatures,
the lack of blinding may allow an attacker to gain information about
the signature's k value and ultimately the private value as well.

CVE-2016-1000342
ECDSA does not fully validate ASN.1 encoding of signature on
verification. It is possible to inject extra elements in the
sequence making up the signature and still have it validate, which
in some cases may allow the introduction of 'invisible' data into a
signed structure.

CVE-2016-1000343
The DSA key pair generator generates a weak private key if used with
default values. If the JCA key pair generator is not explicitly
initialised with DSA parameters, 1.55 and earlier generates a
private value assuming a 1024 bit key size. In earlier releases this
can be dealt with by explicitly passing parameters to the key pair
generator.

CVE-2016-1000345
The DHIES/ECIES CBC mode is vulnerable to padding oracle attack. In
an environment where timings can be easily observed, it is possible
with enough observations to identify when the decryption is failing
due to padding.

CVE-2016-1000346
In the Bouncy Castle JCE Provider the other party DH public key is
not fully validated. This can cause issues as invalid keys can be
used to reveal details about the other party's private key where
static Diffie-Hellman is in use. As of this release the key
parameters are checked on agreement calculation.

For Debian 8 "Jessie", these problems have been fixed in version
1.49+dfsg-3+deb8u3.

We recommend that you upgrade your bouncycastle packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : bouncycastle
Version : 1.49+dfsg-3+deb8u3
CVE ID : CVE-2016-1000338 CVE-2016-1000339 CVE-2016-1000341

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved