CVE-2015-7940

Опубликовано: 14 сент. 2015

Источник: redhat

CVSS3: 3.7

CVSS2: 4.3

EPSS Низкий

Описание

The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."

It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat JBoss A-MQ 6	fabric8	Affected
Red Hat JBoss Fuse 6	fabric8	Affected
Red Hat Satellite 6	bouncycastle	Will not fix
Red Hat Subscription Asset Manager	bouncycastle	Will not fix
Red Hat JBoss A-MQ 6.3		Fixed	RHSA-2016:2036	06.10.2016
Red Hat JBoss Fuse 6.3		Fixed	RHSA-2016:2035	06.10.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-358

https://bugzilla.redhat.com/show_bug.cgi?id=1276272bouncycastle: Invalid curve attack allowing to extract private keys

EPSS

Процентиль: 77%

0.01019

Низкий

3.7 Low

CVSS3

4.3 Medium

CVSS2

Связанные уязвимости

CVE-2015-7940

ubuntu

около 10 лет назад

CVE-2015-7940

nvd

около 10 лет назад

CVE-2015-7940

debian

около 10 лет назад

The Bouncy Castle Java library before 1.51 does not validate a point i ...

openSUSE-SU-2015:1911-1

suse-cvrf

больше 10 лет назад

Security update for bouncycastle

GHSA-4mv7-cq75-3qjm

github

больше 7 лет назад

Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

EPSS

Процентиль: 77%

0.01019

Низкий

3.7 Low

CVSS3

4.3 Medium

CVSS2