Описание
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
A flaw was found in bouncycastle. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Меры по смягчению последствий
Users unable to upgrade to version 1.67 or greater can copy the OpenBSDBCrypt.doCheckPassword() method implementation (https://github.com/bcgit/bc-java/blob/r1rv67/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java#L259-L343) into their own utility class and supplement it with the required methods and variables as required
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Quarkus | bouncycastle | Not affected | ||
| Red Hat Decision Manager 7 | bouncycastle | Not affected | ||
| Red Hat OpenShift Application Runtimes | bouncycastle | Not affected | ||
| Red Hat Process Automation 7 | bouncycastle | Not affected | ||
| Red Hat support for Spring Boot | bouncycastle | Not affected | ||
| Red Hat Virtualization 4 | bouncycastle | Not affected | ||
| Red Hat EAP-XP 2.0.0 via EAP 7.3.x base | bouncycastle | Fixed | RHSA-2021:2755 | 15.07.2021 |
| Red Hat EAP-XP via EAP 7.3.x base | bouncycastle | Fixed | RHSA-2021:2210 | 02.06.2021 |
| Red Hat Fuse 7.8.1 | karaf | Fixed | RHSA-2021:1401 | 27.04.2021 |
| Red Hat Fuse 7.8.1 | spring-boot | Fixed | RHSA-2021:1401 | 27.04.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 an ...
Logic error in Legion of the Bouncy Castle BC Java
EPSS
8.1 High
CVSS3