CVE-2017-13098

Опубликовано: 12 дек. 2017

Источник: redhat

CVSS3: 6.5

Описание

BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."

Отчет

This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager version 1 and Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Red Hat Satellite 6 was fixed indirectly after a rebase. Shipping a version of Bouncy Castle 1.60 or higher is sufficient to avoid this vulnerability.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat JBoss Data Grid 7	bouncycastle	Not affected
Red Hat JBoss Data Virtualization 6	bouncycastle	Not affected
Red Hat JBoss Enterprise Application Platform 7	bouncycastle	Not affected
Red Hat Satellite 6	bouncycastle	Affected
Red Hat Single Sign-On 7	bouncycastle	Not affected
Red Hat Software Collections	rh-eclipse46-bouncycastle	Not affected
Red Hat Subscription Asset Manager	bouncycastle	Will not fix
Red Hat Virtualization 4	eap7-bouncycastle	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-300

https://bugzilla.redhat.com/show_bug.cgi?id=1525528bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack

6.5 Medium

CVSS3