CVE-2016-1000346
First published: Mon Jun 04 2018(Updated: )
Bouncy Castle JCE Provider could allow a remote attacker to obtain sensitive information, caused by a flaw in the other party DH public key. A remote attacker could exploit this vulnerability to reveal details via invalid keys.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api | <=1.55 | |
| Debian Debian Linux | =8.0 | |
| redhat/bouncycastle | <1.56 | 1.56 |
| debian/bouncycastle | 1.68-2 1.72-2 1.77-1 | |
| IBM GDE | <=3.0.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2018:2669
- https://access.redhat.com/errata/RHSA-2018:2927
- https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937
- https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
- https://security.netapp.com/advisory/ntap-20181127-0004/
- https://usn.ubuntu.com/3727-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://launchpad.net/bugs/cve/CVE-2016-1000346
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1588328
- https://access.redhat.com/security/updates/classification/
- https://bugzilla.redhat.com/show_bug.cgi?id=1588327
- https://security-tracker.debian.org/tracker/CVE-2016-1000346
- https://exchange.xforce.ibmcloud.com/vulnerabilities/151807
- https://www.ibm.com/support/pages/node/6320835 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000346
- https://ubuntu.com/security/CVE-2016-1000346
Frequently Asked Questions
What is CVE-2016-1000346?
CVE-2016-1000346 is a vulnerability in the Bouncy Castle JCE Provider that could allow a remote attacker to obtain sensitive information.
How does CVE-2016-1000346 affect Bouncy Castle JCE Provider?
CVE-2016-1000346 affects Bouncy Castle JCE Provider versions 1.55 and earlier by not fully validating the other party DH public key, which can reveal details about the other party's private key in static Diffie-Hellman scenarios.
What is the severity of CVE-2016-1000346?
The severity of CVE-2016-1000346 is medium, with a CVSS score of 5.3.
How can I fix CVE-2016-1000346?
To fix CVE-2016-1000346, update Bouncy Castle JCE Provider to version 1.56 or later.
Where can I find more information about CVE-2016-1000346?
You can find more information about CVE-2016-1000346 in the references provided: [link1](https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937), [link2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1588328), [link3](https://access.redhat.com/security/updates/classification/).
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-1000346
- agent/description
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/bouncycastle
- canonical/bouncycastle legion-of-the-bouncy-castle-java-crytography-api
- version/bouncycastle legion-of-the-bouncy-castle-java-crytography-api/1.55
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- package-manager/redhat
- package-manager/debian
- vendor/ibm
- canonical/ibm gde
- version/ibm gde/3.0.0.2