First published: Fri Jun 01 2018(Updated: )
Bouncy Castle JCE Provider could provide weaker than expected security, caused by improper validation of ASN.1 encoding of signature in the DSA. A remote attacker could exploit this vulnerability to launch further attacks.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api | <=1.55 | |
redhat/bouncycastle | <1.56 | 1.56 |
debian/bouncycastle | 1.68-2 1.72-2 1.77-1 | |
IBM GDE | <=3.0.0.2 | |
Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api | >=1.38<1.56 | |
Redhat Satellite | =6.4 | |
Redhat Satellite Capsule | =6.4 | |
Canonical Ubuntu Linux | =14.04 | |
NetApp 7-Mode Transition Tool | ||
maven/org.bouncycastle:bcprov-jdk15 | >=1.38<1.56 | 1.56 |
maven/org.bouncycastle:bcprov-jdk14 | >=1.38<1.56 | 1.56 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2016-1000338 is high, with a CVSS score of 7.5.
CVE-2016-1000338 affects Bouncy Castle JCE Provider versions 1.55 and earlier.
The impact of CVE-2016-1000338 is that it could provide weaker than expected security due to improper validation of ASN.1 encoding, allowing the injection of extra elements in the signature.
To fix CVE-2016-1000338, update Bouncy Castle JCE Provider to version 1.56 or later.
Yes, you can find more information about CVE-2016-1000338 at the following references: - NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-1000338 - GitHub Commit: https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0 - Red Hat Advisory: https://access.redhat.com/errata/RHSA-2018:2669