PT-2020-6924 · Bouncy Castle+1 · Bouncy Castle Bc-Fja+3
Published
2020-07-04
·
Updated
2025-10-02
·
CVE-2020-15522
CVSS v2.0
7.1
High
| Vector | AV:N/AC:M/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Bouncy Castle BC Java versions 1.65 and earlier
Bouncy Castle BC C# .NET versions 1.8.6 and earlier
Bouncy Castle BC-FJA versions 1.0.2.0 and earlier
Bouncy Castle BC-FNA versions 1.0.1.0 and earlier
Description
The issue is related to a timing problem within the EC math library of Bouncy Castle, which can expose information about the private key when an attacker observes timing information for the generation of multiple deterministic ECDSA signatures. This is due to synchronization errors when using a shared resource during the processing of deterministic ECDSA signatures.
Recommendations
For Bouncy Castle BC Java versions 1.65 and earlier, update to version 1.66 or later.
For Bouncy Castle BC C# .NET versions 1.8.6 and earlier, update to version 1.8.7 or later.
For Bouncy Castle BC-FJA versions 1.0.2.0 and earlier, update to version 1.0.2.1 or later.
For Bouncy Castle BC-FNA versions 1.0.1.0 and earlier, update to version 1.0.1.1 or later.
Exploit
Fix
Race Condition
Side Channel Attack
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Bouncy Castle Bc C# .Net
Bouncy Castle Bc Java
Bouncy Castle Bc-Fja
Suse