PT-2018-4639 · Bouncy Castle+3 · Bouncy Castle Jce Provider+3

Published

2018-06-04

Updated

2024-06-15

CVE-2016-1000345

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Bouncy Castle JCE Provider versions 1.55 and earlier

Description The issue concerns a padding oracle attack in the DHIES/ECIES CBC mode. In environments where timings can be observed, an attacker can identify when decryption fails due to padding with enough observations.

Recommendations For Bouncy Castle JCE Provider versions 1.55 and earlier, consider updating to a version newer than 1.55 to mitigate the risk of a padding oracle attack. At the moment, there is no information about additional mitigation measures for this issue.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-361

Related Identifiers

CVE-2016-1000345

DLA-1418-1

GHSA-9GP4-QRFF-C648

MGASA-2018-0376

OPENSUSE-SU-2018_1689-1

OPENSUSE-SU-2024:10661-1

RHSA-2018:2927

USN-3727-1

Affected Products

Bouncy Castle Jce Provider

Jira

Suse

Ubuntu

PT-2018-4639 · Bouncy Castle+3 · Bouncy Castle Jce Provider+3

CVE-2016-1000345

Weakness Enumeration

Related Identifiers

Affected Products

References · 50