Описание
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
A vulnerability was found in BouncyCastle. The number of iterations of the Miller-Rabin primality test was incorrectly calculated (according to FIPS 186-4 C.3). Under some circumstances, this could lead to the generation of weak RSA key pairs.
Отчет
This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Red Hat Satellite 6.5 isn't vulnerable to this issue, since it doesn't ship bouncycastle jar file anymore.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| JBoss Developer Studio 11 | bouncycastle | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | bouncycastle | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | bouncycastle | Out of support scope | ||
| Red Hat JBoss Fuse 6 | bouncycastle | Will not fix | ||
| Red Hat JBoss Fuse Integration Service 2 | bouncycastle | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | bouncycastle | Affected | ||
| Red Hat Satellite 6 | bouncycastle | Will not fix | ||
| Red Hat Single Sign-On 7 | bouncycastle | Not affected | ||
| Red Hat Software Collections | rh-eclipse46-bouncycastle | Will not fix | ||
| Red Hat Subscription Asset Manager | bouncycastle | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier h ...
Bouncy Castle has a flaw in the Low-level interface to RSA key pair generator
EPSS
4.8 Medium
CVSS3