Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2017-13098 (GCVE-0-2017-13098)
Vulnerability from cvelistv5
Published
2017-12-13 01:00
Modified
2024-09-16 18:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Legion of the Bouncy Castle | BouncyCastle TLS |
Version: <1.0.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:58:12.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "102195",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102195"
},
{
"name": "VU#144389",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/144389"
},
{
"name": "DSA-4072",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2017/dsa-4072"
},
{
"name": "openSUSE-SU-2020:0607",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://robotattack.org/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20171222-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"all"
],
"product": "BouncyCastle TLS",
"vendor": "Legion of the Bouncy Castle",
"versions": [
{
"status": "affected",
"version": "\u003c1.0.3"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\""
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-20T21:14:51",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "102195",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102195"
},
{
"name": "VU#144389",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/144389"
},
{
"name": "DSA-4072",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2017/dsa-4072"
},
{
"name": "openSUSE-SU-2020:0607",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://robotattack.org/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20171222-0001/"
}
],
"title": "BouncyCastle JCE TLS Bleichenbacher/ROBOT",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2017-12-12T00:00:00.000Z",
"ID": "CVE-2017-13098",
"STATE": "PUBLIC",
"TITLE": "BouncyCastle JCE TLS Bleichenbacher/ROBOT"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BouncyCastle TLS",
"version": {
"version_data": [
{
"platform": "all",
"version_value": "\u003c1.0.3"
}
]
}
}
]
},
"vendor_name": "Legion of the Bouncy Castle"
}
]
}
},
"credit": [
""
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\""
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-203"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "102195",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102195"
},
{
"name": "VU#144389",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/144389"
},
{
"name": "DSA-4072",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2017/dsa-4072"
},
{
"name": "openSUSE-SU-2020:0607",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://robotattack.org/",
"refsource": "MISC",
"url": "https://robotattack.org/"
},
{
"name": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c",
"refsource": "CONFIRM",
"url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c"
},
{
"name": "https://security.netapp.com/advisory/ntap-20171222-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20171222-0001/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2017-13098",
"datePublished": "2017-12-13T01:00:00Z",
"dateReserved": "2017-08-22T00:00:00",
"dateUpdated": "2024-09-16T18:39:22.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2017-13098\",\"sourceIdentifier\":\"cret@cert.org\",\"published\":\"2017-12-13T01:29:00.280\",\"lastModified\":\"2025-05-12T17:37:16.527\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \\\"ROBOT.\\\"\"},{\"lang\":\"es\",\"value\":\"BouncyCastle TLS, en versiones anteriores a la 1.0.3 cuando est\u00e1 configurado para utilizar la JCE (Java Cryptography Extension) para funciones criptogr\u00e1ficas, proporciona un or\u00e1culo de Bleichenbacher d\u00e9bil cuando se negocia una suite de cifrado TLS que utiliza un intercambio de claves RSA. Un atacante puede recuperar la clave privada desde una aplicaci\u00f3n vulnerable. Esta vulnerabilidad es conocida como \\\"ROBOT\\\".\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"cret@cert.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cret@cert.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bouncycastle:bc-java:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.59\",\"matchCriteriaId\":\"F597AE42-F2B3-4039-81DA-C881EA1D43EF\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html\",\"source\":\"cret@cert.org\"},{\"url\":\"http://www.kb.cert.org/vuls/id/144389\",\"source\":\"cret@cert.org\",\"tags\":[\"Issue Tracking\",\"Mitigation\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/bid/102195\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c\",\"source\":\"cret@cert.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://robotattack.org/\",\"source\":\"cret@cert.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20171222-0001/\",\"source\":\"cret@cert.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2017/dsa-4072\",\"source\":\"cret@cert.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"cret@cert.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.kb.cert.org/vuls/id/144389\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Mitigation\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/bid/102195\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://robotattack.org/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20171222-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2017/dsa-4072\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
CERTFR-2020-AVI-420
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Juniper. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| N/A | N/A | Junos Space et Junos Space Security Director versions antérieures à 20.1R1 | ||
| Juniper Networks | Junos OS Evolved | Junos OS Evolved versions antérieures à 19.1R3-EVO,19.2R2-EVO, 19.3R1-EVO, 19.3R3-EVO, 19.4R2-EVO, 19.4R2-S2-EVO, 20.1R1-EVO, 20.1R2-EVO et 20.2R1-EVO | ||
| Juniper Networks | Junos OS | Junos OS versions antérieures à 12.3R12-S15, 12.3X48-D100, 12.3X48-D95, 14.1X53-D140, 14.1X53-D54, 15.1R7-S6, 15.1R7-S7, 15.1X49-D200, 15.1X49-D210, 15.1X49-D230, 15.1X53-D593, 16.1R7-S7, 16.1R7-S8, 17.1R2-S11, 17.1R2-S12, 17.1R3-S2, 17.2R1-S9, 17.2R2-S8, 17.2R3-S3, 17.2R3-S4, 17.2X75-D105.19, 17.3R2-S5, 17.3R3-S6, 17.3R3-S7, 17.3R3-S8, 17.4R1-S3, 17.4R2, 17.4R2-S10, 17.4R2-S11, 17.4R2-S2, 17.4R2-S4, 17.4R2-S8, 17.4R2-S9, 17.4R3, 17.4R3-S1, 17.4R3-S2, 18.1R2, 18.1R3-S10, 18.1R3-S2, 18.1R3-S5, 18.1R3-S8, 18.1R3-S9, 18.2R1, 18.2R2, 18.2R2-S6, 18.2R2-S7, 18.2R3, 18.2R3-S3, 18.2R3-S4, 18.2R3-S5, 18.2X75-D10, 18.2X75-D13, 18.2X75-D32, 18.2X75-D33, 18.2X75-D34, 18.2X75-D40, 18.2X75-D41, 18.2X75-D411.1, 18.2X75-D420, 18.2X75-D420.18, 18.2X75-D430, 18.2X75-D50, 18.2X75-D52, 18.2X75-D52.3, 18.2X75-D52.8, 18.2X75-D53, 18.2X75-D60, 18.2X75-D60.2, 18.2X75-D65, 18.2X75-D65.1, 18.2X75-D70, 18.2X75-D70;(*1), 18.3R1-S2, 18.3R1-S7, 18.3R2, 18.3R2-S3, 18.3R2-S4, 18.3R3, 18.3R3-S1, 18.3R3-S2, 18.4R1, 18.4R1-S5, 18.4R1-S6, 18.4R1-S7, 18.4R2, 18.4R2-S4, 18.4R2-S5, 18.4R3, 18.4R3-S1, 18.4R3-S2, 18.4R3-S3(*2), 19.1R1-S4, 19.1R1-S5, 19.1R2, 19.1R2-S1, 19.1R2-S2, 19.1R3, 19.1R3-S2, 19.2R1, 19.2R1-S2, 19.2R1-S3, 19.2R1-S4, 19.2R1-S5, 19.2R2, 19.2R3, 19.3R2, 19.3R2-S2, 19.3R2-S3, 19.3R3, 19.4R1, 19.4R1-S1, 19.4R1-S2, 19.4R1-S3, 19.4R2, 19.4R3, 20.1R1, 20.1R1-S1, 20.1R1-S2, 20.1R2 et 20.2R1 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Junos Space et Junos Space Security Director versions ant\u00e9rieures \u00e0 20.1R1",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Junos OS Evolved versions ant\u00e9rieures \u00e0 19.1R3-EVO,19.2R2-EVO, 19.3R1-EVO, 19.3R3-EVO, 19.4R2-EVO, 19.4R2-S2-EVO, 20.1R1-EVO, 20.1R2-EVO et 20.2R1-EVO",
"product": {
"name": "Junos OS Evolved",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
},
{
"description": "Junos OS versions ant\u00e9rieures \u00e0 12.3R12-S15, 12.3X48-D100, 12.3X48-D95, 14.1X53-D140, 14.1X53-D54, 15.1R7-S6, 15.1R7-S7, 15.1X49-D200, 15.1X49-D210, 15.1X49-D230, 15.1X53-D593, 16.1R7-S7, 16.1R7-S8, 17.1R2-S11, 17.1R2-S12, 17.1R3-S2, 17.2R1-S9, 17.2R2-S8, 17.2R3-S3, 17.2R3-S4, 17.2X75-D105.19, 17.3R2-S5, 17.3R3-S6, 17.3R3-S7, 17.3R3-S8, 17.4R1-S3, 17.4R2, 17.4R2-S10, 17.4R2-S11, 17.4R2-S2, 17.4R2-S4, 17.4R2-S8, 17.4R2-S9, 17.4R3, 17.4R3-S1, 17.4R3-S2, 18.1R2, 18.1R3-S10, 18.1R3-S2, 18.1R3-S5, 18.1R3-S8, 18.1R3-S9, 18.2R1, 18.2R2, 18.2R2-S6, 18.2R2-S7, 18.2R3, 18.2R3-S3, 18.2R3-S4, 18.2R3-S5, 18.2X75-D10, 18.2X75-D13, 18.2X75-D32, 18.2X75-D33, 18.2X75-D34, 18.2X75-D40, 18.2X75-D41, 18.2X75-D411.1, 18.2X75-D420, 18.2X75-D420.18, 18.2X75-D430, 18.2X75-D50, 18.2X75-D52, 18.2X75-D52.3, 18.2X75-D52.8, 18.2X75-D53, 18.2X75-D60, 18.2X75-D60.2, 18.2X75-D65, 18.2X75-D65.1, 18.2X75-D70, 18.2X75-D70;(*1), 18.3R1-S2, 18.3R1-S7, 18.3R2, 18.3R2-S3, 18.3R2-S4, 18.3R3, 18.3R3-S1, 18.3R3-S2, 18.4R1, 18.4R1-S5, 18.4R1-S6, 18.4R1-S7, 18.4R2, 18.4R2-S4, 18.4R2-S5, 18.4R3, 18.4R3-S1, 18.4R3-S2, 18.4R3-S3(*2), 19.1R1-S4, 19.1R1-S5, 19.1R2, 19.1R2-S1, 19.1R2-S2, 19.1R3, 19.1R3-S2, 19.2R1, 19.2R1-S2, 19.2R1-S3, 19.2R1-S4, 19.2R1-S5, 19.2R2, 19.2R3, 19.3R2, 19.3R2-S2, 19.3R2-S3, 19.3R3, 19.4R1, 19.4R1-S1, 19.4R1-S2, 19.4R1-S3, 19.4R2, 19.4R3, 20.1R1, 20.1R1-S1, 20.1R1-S2, 20.1R2 et 20.2R1",
"product": {
"name": "Junos OS",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2011-1167",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-1167"
},
{
"name": "CVE-2016-2324",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2324"
},
{
"name": "CVE-2013-1960",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1960"
},
{
"name": "CVE-2012-4447",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4447"
},
{
"name": "CVE-2016-3991",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-3991"
},
{
"name": "CVE-2016-1838",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1838"
},
{
"name": "CVE-2014-7826",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-7826"
},
{
"name": "CVE-2020-1648",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1648"
},
{
"name": "CVE-2016-3621",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-3621"
},
{
"name": "CVE-2011-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-0192"
},
{
"name": "CVE-2016-1000341",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000341"
},
{
"name": "CVE-2016-6662",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6662"
},
{
"name": "CVE-2019-0169",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0169"
},
{
"name": "CVE-2019-11097",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11097"
},
{
"name": "CVE-2009-2347",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-2347"
},
{
"name": "CVE-2014-3634",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3634"
},
{
"name": "CVE-2016-1000343",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000343"
},
{
"name": "CVE-2015-1782",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1782"
},
{
"name": "CVE-2017-13098",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-13098"
},
{
"name": "CVE-2019-11132",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11132"
},
{
"name": "CVE-2014-7825",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-7825"
},
{
"name": "CVE-2016-6136",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6136"
},
{
"name": "CVE-2020-1646",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1646"
},
{
"name": "CVE-2019-11086",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11086"
},
{
"name": "CVE-2017-7895",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7895"
},
{
"name": "CVE-2012-1173",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-1173"
},
{
"name": "CVE-2012-2088",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2088"
},
{
"name": "CVE-2014-9938",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-9938"
},
{
"name": "CVE-2015-1158",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1158"
},
{
"name": "CVE-2020-1651",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1651"
},
{
"name": "CVE-2010-2067",
"url": "https://www.cve.org/CVERecord?id=CVE-2010-2067"
},
{
"name": "CVE-2019-11106",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11106"
},
{
"name": "CVE-2016-1000346",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000346"
},
{
"name": "CVE-2016-3945",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-3945"
},
{
"name": "CVE-2016-4447",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-4447"
},
{
"name": "CVE-2016-4448",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-4448"
},
{
"name": "CVE-2020-1645",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1645"
},
{
"name": "CVE-2016-1000345",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000345"
},
{
"name": "CVE-2020-1640",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1640"
},
{
"name": "CVE-2013-4244",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4244"
},
{
"name": "CVE-2016-3705",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-3705"
},
{
"name": "CVE-2020-1643",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1643"
},
{
"name": "CVE-2018-16881",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16881"
},
{
"name": "CVE-2015-7940",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7940"
},
{
"name": "CVE-2017-1000117",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-1000117"
},
{
"name": "CVE-2012-5581",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5581"
},
{
"name": "CVE-2016-1000338",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000338"
},
{
"name": "CVE-2014-3690",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3690"
},
{
"name": "CVE-2018-1000613",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1000613"
},
{
"name": "CVE-2017-12588",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12588"
},
{
"name": "CVE-2016-0787",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0787"
},
{
"name": "CVE-2016-1834",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1834"
},
{
"name": "CVE-2016-9555",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9555"
},
{
"name": "CVE-2013-1624",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1624"
},
{
"name": "CVE-2016-3990",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-3990"
},
{
"name": "CVE-2019-0168",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0168"
},
{
"name": "CVE-2018-1000021",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1000021"
},
{
"name": "CVE-2019-11103",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11103"
},
{
"name": "CVE-2014-9679",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-9679"
},
{
"name": "CVE-2020-1647",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1647"
},
{
"name": "CVE-2019-11107",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11107"
},
{
"name": "CVE-2020-1652",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1652"
},
{
"name": "CVE-2017-14867",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-14867"
},
{
"name": "CVE-2009-5022",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-5022"
},
{
"name": "CVE-2016-1835",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1835"
},
{
"name": "CVE-2019-3856",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-3856"
},
{
"name": "CVE-2020-1650",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1650"
},
{
"name": "CVE-2016-1000342",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000342"
},
{
"name": "CVE-2019-3863",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-3863"
},
{
"name": "CVE-2016-1836",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1836"
},
{
"name": "CVE-2019-11110",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11110"
},
{
"name": "CVE-2013-0169",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0169"
},
{
"name": "CVE-2016-1000339",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000339"
},
{
"name": "CVE-2008-2327",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2327"
},
{
"name": "CVE-2017-9935",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-9935"
},
{
"name": "CVE-2018-3639",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3639"
},
{
"name": "CVE-2018-5382",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5382"
},
{
"name": "CVE-2014-9584",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-9584"
},
{
"name": "CVE-2019-11102",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11102"
},
{
"name": "CVE-2019-3862",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-3862"
},
{
"name": "CVE-2019-11088",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11088"
},
{
"name": "CVE-2019-11105",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11105"
},
{
"name": "CVE-2016-5616",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-5616"
},
{
"name": "CVE-2015-1421",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1421"
},
{
"name": "CVE-2014-9529",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-9529"
},
{
"name": "CVE-2020-1654",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1654"
},
{
"name": "CVE-2013-1961",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1961"
},
{
"name": "CVE-2015-7082",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7082"
},
{
"name": "CVE-2006-2193",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-2193"
},
{
"name": "CVE-2014-8171",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-8171"
},
{
"name": "CVE-2006-2656",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-2656"
},
{
"name": "CVE-2019-11101",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11101"
},
{
"name": "CVE-2016-1833",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1833"
},
{
"name": "CVE-2018-11233",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11233"
},
{
"name": "CVE-2013-4232",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4232"
},
{
"name": "CVE-2013-4243",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4243"
},
{
"name": "CVE-2016-3627",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-3627"
},
{
"name": "CVE-2011-3200",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3200"
},
{
"name": "CVE-2016-1840",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1840"
},
{
"name": "CVE-2017-15298",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-15298"
},
{
"name": "CVE-2014-8884",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-8884"
},
{
"name": "CVE-2015-1159",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1159"
},
{
"name": "CVE-2016-1762",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1762"
},
{
"name": "CVE-2019-11131",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11131"
},
{
"name": "CVE-2020-1641",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1641"
},
{
"name": "CVE-2019-11090",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11090"
},
{
"name": "CVE-2013-4758",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4758"
},
{
"name": "CVE-2016-1837",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1837"
},
{
"name": "CVE-2019-0131",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0131"
},
{
"name": "CVE-2019-11109",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11109"
},
{
"name": "CVE-2016-5314",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-5314"
},
{
"name": "CVE-2016-1839",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1839"
},
{
"name": "CVE-2016-1000352",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000352"
},
{
"name": "CVE-2010-2065",
"url": "https://www.cve.org/CVERecord?id=CVE-2010-2065"
},
{
"name": "CVE-2019-0166",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0166"
},
{
"name": "CVE-2010-1411",
"url": "https://www.cve.org/CVERecord?id=CVE-2010-1411"
},
{
"name": "CVE-2016-3632",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-3632"
},
{
"name": "CVE-2019-3855",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-3855"
},
{
"name": "CVE-2015-7547",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7547"
},
{
"name": "CVE-2020-1649",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1649"
},
{
"name": "CVE-2019-3857",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-3857"
},
{
"name": "CVE-2012-4564",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4564"
},
{
"name": "CVE-2012-2113",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2113"
},
{
"name": "CVE-2019-11104",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11104"
},
{
"name": "CVE-2019-11087",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11087"
},
{
"name": "CVE-2016-1000344",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000344"
},
{
"name": "CVE-2019-11108",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11108"
},
{
"name": "CVE-2014-3215",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3215"
},
{
"name": "CVE-2018-11235",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11235"
},
{
"name": "CVE-2016-6663",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6663"
},
{
"name": "CVE-2018-19486",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19486"
},
{
"name": "CVE-2015-7545",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7545"
},
{
"name": "CVE-2016-4449",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-4449"
},
{
"name": "CVE-2019-1551",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1551"
},
{
"name": "CVE-2019-11100",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11100"
},
{
"name": "CVE-2018-5360",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5360"
},
{
"name": "CVE-2018-1000180",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1000180"
},
{
"name": "CVE-2019-0165",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0165"
},
{
"name": "CVE-2020-1644",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1644"
},
{
"name": "CVE-2019-11147",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11147"
},
{
"name": "CVE-2012-3401",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3401"
},
{
"name": "CVE-2019-0211",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0211"
},
{
"name": "CVE-2014-3683",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3683"
}
],
"initial_release_date": "2020-07-09T00:00:00",
"last_revision_date": "2020-07-09T00:00:00",
"links": [],
"reference": "CERTFR-2020-AVI-420",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-07-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nJuniper. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Juniper",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11038 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11038\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11024 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11024\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11026 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11026\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11027 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11027\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11035 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11035\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11023 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11023\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11025 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11025\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11034 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11034\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11033 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11033\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11032 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11032\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11036 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11036\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11031 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11031\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11030 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11030\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11037 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11037\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11028 du 08 juillet 2020",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11028\u0026cat=SIRT_1\u0026actp=LIST"
}
]
}
CERTFR-2022-AVI-171
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les commutateurs Aruba AOS-CX. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| HPE Aruba Networking | AOS | AOS-CX versions 10.06.x antérieures à 10.06.0180 | ||
| HPE Aruba Networking | AOS | AOS-CX versions 10.09.x antérieures à 10.09.0010 | ||
| HPE Aruba Networking | AOS | AOS-CX versions 10.07.x antérieures à 10.07.0061 | ||
| HPE Aruba Networking | AOS | AOS-CX versions 10.08.x antérieures à 10.08.1040 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "AOS-CX versions 10.06.x ant\u00e9rieures \u00e0 10.06.0180",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "AOS-CX versions 10.09.x ant\u00e9rieures \u00e0 10.09.0010",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "AOS-CX versions 10.07.x ant\u00e9rieures \u00e0 10.07.0061",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "AOS-CX versions 10.08.x ant\u00e9rieures \u00e0 10.08.1040",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2017-13099",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-13099"
},
{
"name": "CVE-2016-6883",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6883"
},
{
"name": "CVE-2017-17427",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17427"
},
{
"name": "CVE-2012-5081",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5081"
},
{
"name": "CVE-2017-13098",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-13098"
},
{
"name": "CVE-2017-1000385",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-1000385"
},
{
"name": "CVE-2002-20001",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-20001"
},
{
"name": "CVE-2017-6168",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-6168"
},
{
"name": "CVE-2021-41000",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41000"
},
{
"name": "CVE-2017-12373",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12373"
},
{
"name": "CVE-2021-41003",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41003"
},
{
"name": "CVE-2017-17428",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17428"
},
{
"name": "CVE-2021-41001",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41001"
},
{
"name": "CVE-2021-3712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3712"
},
{
"name": "CVE-2017-17382",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17382"
},
{
"name": "CVE-2021-41002",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41002"
}
],
"initial_release_date": "2022-02-23T00:00:00",
"last_revision_date": "2022-02-23T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-171",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-02-23T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les commutateurs\nAruba AOS-CX. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les commutateurs Aruba AOS-CX",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Aruba AOS-CX ARUBA-PSA-2022-004 du 23 f\u00e9vrier 2022",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt"
}
]
}
fkie_cve-2017-13098
Vulnerability from fkie_nvd
Published
2017-12-13 01:29
Modified
2025-05-12 17:37
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
References
| URL | Tags | ||
|---|---|---|---|
| cret@cert.org | http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html | ||
| cret@cert.org | http://www.kb.cert.org/vuls/id/144389 | Issue Tracking, Mitigation, Third Party Advisory, US Government Resource | |
| cret@cert.org | http://www.securityfocus.com/bid/102195 | Third Party Advisory, VDB Entry | |
| cret@cert.org | https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c | Issue Tracking, Patch, Third Party Advisory | |
| cret@cert.org | https://robotattack.org/ | Issue Tracking, Third Party Advisory | |
| cret@cert.org | https://security.netapp.com/advisory/ntap-20171222-0001/ | Issue Tracking, Third Party Advisory | |
| cret@cert.org | https://www.debian.org/security/2017/dsa-4072 | Issue Tracking, Third Party Advisory | |
| cret@cert.org | https://www.oracle.com/security-alerts/cpuoct2020.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/144389 | Issue Tracking, Mitigation, Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102195 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://robotattack.org/ | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20171222-0001/ | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2017/dsa-4072 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpuoct2020.html |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bouncycastle | bc-java | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bouncycastle:bc-java:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F597AE42-F2B3-4039-81DA-C881EA1D43EF",
"versionEndExcluding": "1.59",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\""
},
{
"lang": "es",
"value": "BouncyCastle TLS, en versiones anteriores a la 1.0.3 cuando est\u00e1 configurado para utilizar la JCE (Java Cryptography Extension) para funciones criptogr\u00e1ficas, proporciona un or\u00e1culo de Bleichenbacher d\u00e9bil cuando se negocia una suite de cifrado TLS que utiliza un intercambio de claves RSA. Un atacante puede recuperar la clave privada desde una aplicaci\u00f3n vulnerable. Esta vulnerabilidad es conocida como \"ROBOT\"."
}
],
"id": "CVE-2017-13098",
"lastModified": "2025-05-12T17:37:16.527",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cret@cert.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-13T01:29:00.280",
"references": [
{
"source": "cret@cert.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html"
},
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking",
"Mitigation",
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/144389"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102195"
},
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c"
},
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://robotattack.org/"
},
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20171222-0001/"
},
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2017/dsa-4072"
},
{
"source": "cret@cert.org",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mitigation",
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/144389"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102195"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://robotattack.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20171222-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2017/dsa-4072"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
opensuse-su-2024:10661-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
bouncycastle-1.68-3.2 on GA media
Notes
Title of the patch
bouncycastle-1.68-3.2 on GA media
Description of the patch
These are all security issues fixed in the bouncycastle-1.68-3.2 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-10661
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "bouncycastle-1.68-3.2 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the bouncycastle-1.68-3.2 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10661",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10661-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-1000338 page",
"url": "https://www.suse.com/security/cve/CVE-2016-1000338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-1000339 page",
"url": "https://www.suse.com/security/cve/CVE-2016-1000339/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-1000340 page",
"url": "https://www.suse.com/security/cve/CVE-2016-1000340/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-1000341 page",
"url": "https://www.suse.com/security/cve/CVE-2016-1000341/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-1000342 page",
"url": "https://www.suse.com/security/cve/CVE-2016-1000342/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-1000343 page",
"url": "https://www.suse.com/security/cve/CVE-2016-1000343/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-1000344 page",
"url": "https://www.suse.com/security/cve/CVE-2016-1000344/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-1000345 page",
"url": "https://www.suse.com/security/cve/CVE-2016-1000345/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-1000346 page",
"url": "https://www.suse.com/security/cve/CVE-2016-1000346/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-1000352 page",
"url": "https://www.suse.com/security/cve/CVE-2016-1000352/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-13098 page",
"url": "https://www.suse.com/security/cve/CVE-2017-13098/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-1000180 page",
"url": "https://www.suse.com/security/cve/CVE-2018-1000180/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-1000613 page",
"url": "https://www.suse.com/security/cve/CVE-2018-1000613/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-17359 page",
"url": "https://www.suse.com/security/cve/CVE-2019-17359/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15522 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15522/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-28052 page",
"url": "https://www.suse.com/security/cve/CVE-2020-28052/"
}
],
"title": "bouncycastle-1.68-3.2 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10661-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "bouncycastle-1.68-3.2.aarch64",
"product": {
"name": "bouncycastle-1.68-3.2.aarch64",
"product_id": "bouncycastle-1.68-3.2.aarch64"
}
},
{
"category": "product_version",
"name": "bouncycastle-javadoc-1.68-3.2.aarch64",
"product": {
"name": "bouncycastle-javadoc-1.68-3.2.aarch64",
"product_id": "bouncycastle-javadoc-1.68-3.2.aarch64"
}
},
{
"category": "product_version",
"name": "bouncycastle-mail-1.68-3.2.aarch64",
"product": {
"name": "bouncycastle-mail-1.68-3.2.aarch64",
"product_id": "bouncycastle-mail-1.68-3.2.aarch64"
}
},
{
"category": "product_version",
"name": "bouncycastle-pg-1.68-3.2.aarch64",
"product": {
"name": "bouncycastle-pg-1.68-3.2.aarch64",
"product_id": "bouncycastle-pg-1.68-3.2.aarch64"
}
},
{
"category": "product_version",
"name": "bouncycastle-pkix-1.68-3.2.aarch64",
"product": {
"name": "bouncycastle-pkix-1.68-3.2.aarch64",
"product_id": "bouncycastle-pkix-1.68-3.2.aarch64"
}
},
{
"category": "product_version",
"name": "bouncycastle-tls-1.68-3.2.aarch64",
"product": {
"name": "bouncycastle-tls-1.68-3.2.aarch64",
"product_id": "bouncycastle-tls-1.68-3.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "bouncycastle-1.68-3.2.ppc64le",
"product": {
"name": "bouncycastle-1.68-3.2.ppc64le",
"product_id": "bouncycastle-1.68-3.2.ppc64le"
}
},
{
"category": "product_version",
"name": "bouncycastle-javadoc-1.68-3.2.ppc64le",
"product": {
"name": "bouncycastle-javadoc-1.68-3.2.ppc64le",
"product_id": "bouncycastle-javadoc-1.68-3.2.ppc64le"
}
},
{
"category": "product_version",
"name": "bouncycastle-mail-1.68-3.2.ppc64le",
"product": {
"name": "bouncycastle-mail-1.68-3.2.ppc64le",
"product_id": "bouncycastle-mail-1.68-3.2.ppc64le"
}
},
{
"category": "product_version",
"name": "bouncycastle-pg-1.68-3.2.ppc64le",
"product": {
"name": "bouncycastle-pg-1.68-3.2.ppc64le",
"product_id": "bouncycastle-pg-1.68-3.2.ppc64le"
}
},
{
"category": "product_version",
"name": "bouncycastle-pkix-1.68-3.2.ppc64le",
"product": {
"name": "bouncycastle-pkix-1.68-3.2.ppc64le",
"product_id": "bouncycastle-pkix-1.68-3.2.ppc64le"
}
},
{
"category": "product_version",
"name": "bouncycastle-tls-1.68-3.2.ppc64le",
"product": {
"name": "bouncycastle-tls-1.68-3.2.ppc64le",
"product_id": "bouncycastle-tls-1.68-3.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "bouncycastle-1.68-3.2.s390x",
"product": {
"name": "bouncycastle-1.68-3.2.s390x",
"product_id": "bouncycastle-1.68-3.2.s390x"
}
},
{
"category": "product_version",
"name": "bouncycastle-javadoc-1.68-3.2.s390x",
"product": {
"name": "bouncycastle-javadoc-1.68-3.2.s390x",
"product_id": "bouncycastle-javadoc-1.68-3.2.s390x"
}
},
{
"category": "product_version",
"name": "bouncycastle-mail-1.68-3.2.s390x",
"product": {
"name": "bouncycastle-mail-1.68-3.2.s390x",
"product_id": "bouncycastle-mail-1.68-3.2.s390x"
}
},
{
"category": "product_version",
"name": "bouncycastle-pg-1.68-3.2.s390x",
"product": {
"name": "bouncycastle-pg-1.68-3.2.s390x",
"product_id": "bouncycastle-pg-1.68-3.2.s390x"
}
},
{
"category": "product_version",
"name": "bouncycastle-pkix-1.68-3.2.s390x",
"product": {
"name": "bouncycastle-pkix-1.68-3.2.s390x",
"product_id": "bouncycastle-pkix-1.68-3.2.s390x"
}
},
{
"category": "product_version",
"name": "bouncycastle-tls-1.68-3.2.s390x",
"product": {
"name": "bouncycastle-tls-1.68-3.2.s390x",
"product_id": "bouncycastle-tls-1.68-3.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "bouncycastle-1.68-3.2.x86_64",
"product": {
"name": "bouncycastle-1.68-3.2.x86_64",
"product_id": "bouncycastle-1.68-3.2.x86_64"
}
},
{
"category": "product_version",
"name": "bouncycastle-javadoc-1.68-3.2.x86_64",
"product": {
"name": "bouncycastle-javadoc-1.68-3.2.x86_64",
"product_id": "bouncycastle-javadoc-1.68-3.2.x86_64"
}
},
{
"category": "product_version",
"name": "bouncycastle-mail-1.68-3.2.x86_64",
"product": {
"name": "bouncycastle-mail-1.68-3.2.x86_64",
"product_id": "bouncycastle-mail-1.68-3.2.x86_64"
}
},
{
"category": "product_version",
"name": "bouncycastle-pg-1.68-3.2.x86_64",
"product": {
"name": "bouncycastle-pg-1.68-3.2.x86_64",
"product_id": "bouncycastle-pg-1.68-3.2.x86_64"
}
},
{
"category": "product_version",
"name": "bouncycastle-pkix-1.68-3.2.x86_64",
"product": {
"name": "bouncycastle-pkix-1.68-3.2.x86_64",
"product_id": "bouncycastle-pkix-1.68-3.2.x86_64"
}
},
{
"category": "product_version",
"name": "bouncycastle-tls-1.68-3.2.x86_64",
"product": {
"name": "bouncycastle-tls-1.68-3.2.x86_64",
"product_id": "bouncycastle-tls-1.68-3.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-1.68-3.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64"
},
"product_reference": "bouncycastle-1.68-3.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-1.68-3.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le"
},
"product_reference": "bouncycastle-1.68-3.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-1.68-3.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x"
},
"product_reference": "bouncycastle-1.68-3.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-1.68-3.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64"
},
"product_reference": "bouncycastle-1.68-3.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-javadoc-1.68-3.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64"
},
"product_reference": "bouncycastle-javadoc-1.68-3.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-javadoc-1.68-3.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le"
},
"product_reference": "bouncycastle-javadoc-1.68-3.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-javadoc-1.68-3.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x"
},
"product_reference": "bouncycastle-javadoc-1.68-3.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-javadoc-1.68-3.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64"
},
"product_reference": "bouncycastle-javadoc-1.68-3.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-mail-1.68-3.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64"
},
"product_reference": "bouncycastle-mail-1.68-3.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-mail-1.68-3.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le"
},
"product_reference": "bouncycastle-mail-1.68-3.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-mail-1.68-3.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x"
},
"product_reference": "bouncycastle-mail-1.68-3.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-mail-1.68-3.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64"
},
"product_reference": "bouncycastle-mail-1.68-3.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-pg-1.68-3.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64"
},
"product_reference": "bouncycastle-pg-1.68-3.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-pg-1.68-3.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le"
},
"product_reference": "bouncycastle-pg-1.68-3.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-pg-1.68-3.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x"
},
"product_reference": "bouncycastle-pg-1.68-3.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-pg-1.68-3.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64"
},
"product_reference": "bouncycastle-pg-1.68-3.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-pkix-1.68-3.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64"
},
"product_reference": "bouncycastle-pkix-1.68-3.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-pkix-1.68-3.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le"
},
"product_reference": "bouncycastle-pkix-1.68-3.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-pkix-1.68-3.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x"
},
"product_reference": "bouncycastle-pkix-1.68-3.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-pkix-1.68-3.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64"
},
"product_reference": "bouncycastle-pkix-1.68-3.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-tls-1.68-3.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64"
},
"product_reference": "bouncycastle-tls-1.68-3.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-tls-1.68-3.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le"
},
"product_reference": "bouncycastle-tls-1.68-3.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-tls-1.68-3.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x"
},
"product_reference": "bouncycastle-tls-1.68-3.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-tls-1.68-3.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
},
"product_reference": "bouncycastle-tls-1.68-3.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-1000338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-1000338"
}
],
"notes": [
{
"category": "general",
"text": "In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of \u0027invisible\u0027 data into a signed structure.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-1000338",
"url": "https://www.suse.com/security/cve/CVE-2016-1000338"
},
{
"category": "external",
"summary": "SUSE Bug 1095722 for CVE-2016-1000338",
"url": "https://bugzilla.suse.com/1095722"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2016-1000338"
},
{
"cve": "CVE-2016-1000339",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-1000339"
}
],
"notes": [
{
"category": "general",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-1000339",
"url": "https://www.suse.com/security/cve/CVE-2016-1000339"
},
{
"category": "external",
"summary": "SUSE Bug 1095853 for CVE-2016-1000339",
"url": "https://bugzilla.suse.com/1095853"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2016-1000339"
},
{
"cve": "CVE-2016-1000340",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-1000340"
}
],
"notes": [
{
"category": "general",
"text": "In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-1000340",
"url": "https://www.suse.com/security/cve/CVE-2016-1000340"
},
{
"category": "external",
"summary": "SUSE Bug 1095854 for CVE-2016-1000340",
"url": "https://bugzilla.suse.com/1095854"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2016-1000340"
},
{
"cve": "CVE-2016-1000341",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-1000341"
}
],
"notes": [
{
"category": "general",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature\u0027s k value and ultimately the private value as well.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-1000341",
"url": "https://www.suse.com/security/cve/CVE-2016-1000341"
},
{
"category": "external",
"summary": "SUSE Bug 1095852 for CVE-2016-1000341",
"url": "https://bugzilla.suse.com/1095852"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2016-1000341"
},
{
"cve": "CVE-2016-1000342",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-1000342"
}
],
"notes": [
{
"category": "general",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of \u0027invisible\u0027 data into a signed structure.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-1000342",
"url": "https://www.suse.com/security/cve/CVE-2016-1000342"
},
{
"category": "external",
"summary": "SUSE Bug 1095850 for CVE-2016-1000342",
"url": "https://bugzilla.suse.com/1095850"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2016-1000342"
},
{
"cve": "CVE-2016-1000343",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-1000343"
}
],
"notes": [
{
"category": "general",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-1000343",
"url": "https://www.suse.com/security/cve/CVE-2016-1000343"
},
{
"category": "external",
"summary": "SUSE Bug 1095849 for CVE-2016-1000343",
"url": "https://bugzilla.suse.com/1095849"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2016-1000343"
},
{
"cve": "CVE-2016-1000344",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-1000344"
}
],
"notes": [
{
"category": "general",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-1000344",
"url": "https://www.suse.com/security/cve/CVE-2016-1000344"
},
{
"category": "external",
"summary": "SUSE Bug 1096026 for CVE-2016-1000344",
"url": "https://bugzilla.suse.com/1096026"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2016-1000344"
},
{
"cve": "CVE-2016-1000345",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-1000345"
}
],
"notes": [
{
"category": "general",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-1000345",
"url": "https://www.suse.com/security/cve/CVE-2016-1000345"
},
{
"category": "external",
"summary": "SUSE Bug 1096025 for CVE-2016-1000345",
"url": "https://bugzilla.suse.com/1096025"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2016-1000345"
},
{
"cve": "CVE-2016-1000346",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-1000346"
}
],
"notes": [
{
"category": "general",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party\u0027s private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-1000346",
"url": "https://www.suse.com/security/cve/CVE-2016-1000346"
},
{
"category": "external",
"summary": "SUSE Bug 1096024 for CVE-2016-1000346",
"url": "https://bugzilla.suse.com/1096024"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2016-1000346"
},
{
"cve": "CVE-2016-1000352",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-1000352"
}
],
"notes": [
{
"category": "general",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-1000352",
"url": "https://www.suse.com/security/cve/CVE-2016-1000352"
},
{
"category": "external",
"summary": "SUSE Bug 1096022 for CVE-2016-1000352",
"url": "https://bugzilla.suse.com/1096022"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2016-1000352"
},
{
"cve": "CVE-2017-13098",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-13098"
}
],
"notes": [
{
"category": "general",
"text": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\"",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-13098",
"url": "https://www.suse.com/security/cve/CVE-2017-13098"
},
{
"category": "external",
"summary": "SUSE Bug 1072697 for CVE-2017-13098",
"url": "https://bugzilla.suse.com/1072697"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2017-13098"
},
{
"cve": "CVE-2018-1000180",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-1000180"
}
],
"notes": [
{
"category": "general",
"text": "Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-1000180",
"url": "https://www.suse.com/security/cve/CVE-2018-1000180"
},
{
"category": "external",
"summary": "SUSE Bug 1096291 for CVE-2018-1000180",
"url": "https://bugzilla.suse.com/1096291"
},
{
"category": "external",
"summary": "SUSE Bug 1153385 for CVE-2018-1000180",
"url": "https://bugzilla.suse.com/1153385"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-1000180"
},
{
"cve": "CVE-2018-1000613",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-1000613"
}
],
"notes": [
{
"category": "general",
"text": "Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-1000613",
"url": "https://www.suse.com/security/cve/CVE-2018-1000613"
},
{
"category": "external",
"summary": "SUSE Bug 1096291 for CVE-2018-1000613",
"url": "https://bugzilla.suse.com/1096291"
},
{
"category": "external",
"summary": "SUSE Bug 1100694 for CVE-2018-1000613",
"url": "https://bugzilla.suse.com/1100694"
},
{
"category": "external",
"summary": "SUSE Bug 1153385 for CVE-2018-1000613",
"url": "https://bugzilla.suse.com/1153385"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-1000613"
},
{
"cve": "CVE-2019-17359",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-17359"
}
],
"notes": [
{
"category": "general",
"text": "The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-17359",
"url": "https://www.suse.com/security/cve/CVE-2019-17359"
},
{
"category": "external",
"summary": "SUSE Bug 1153385 for CVE-2019-17359",
"url": "https://bugzilla.suse.com/1153385"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-17359"
},
{
"cve": "CVE-2020-15522",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15522"
}
],
"notes": [
{
"category": "general",
"text": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15522",
"url": "https://www.suse.com/security/cve/CVE-2020-15522"
},
{
"category": "external",
"summary": "SUSE Bug 1186328 for CVE-2020-15522",
"url": "https://bugzilla.suse.com/1186328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-15522"
},
{
"cve": "CVE-2020-28052",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-28052"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-28052",
"url": "https://www.suse.com/security/cve/CVE-2020-28052"
},
{
"category": "external",
"summary": "SUSE Bug 1180215 for CVE-2020-28052",
"url": "https://bugzilla.suse.com/1180215"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2.x86_64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.aarch64",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.ppc64le",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.s390x",
"openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-28052"
}
]
}
opensuse-su-2020:0607-1
Vulnerability from csaf_opensuse
Published
2020-05-03 16:19
Modified
2020-05-03 16:19
Summary
Security update for bouncycastle
Notes
Title of the patch
Security update for bouncycastle
Description of the patch
This update for bouncycastle fixes the following issues:
Version update to 1.60:
* CVE-2018-1000613: Use of Externally-ControlledInput to Select Classes or Code (boo#1100694)
* Release notes:
http://www.bouncycastle.org/releasenotes.html
Version update to 1.59:
* CVE-2017-13098: Fix against Bleichenbacher oracle when not
using the lightweight APIs (boo#1072697).
* Release notes:
http://www.bouncycastle.org/releasenotes.html
Patchnames
openSUSE-2020-607
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for bouncycastle",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for bouncycastle fixes the following issues:\n\nVersion update to 1.60:\n\n* CVE-2018-1000613: Use of Externally-ControlledInput to Select Classes or Code (boo#1100694)\n\n* Release notes:\n http://www.bouncycastle.org/releasenotes.html\n\nVersion update to 1.59: \n\n* CVE-2017-13098: Fix against Bleichenbacher oracle when not\n using the lightweight APIs (boo#1072697).\n* Release notes:\n http://www.bouncycastle.org/releasenotes.html\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-607",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0607-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:0607-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SJ5CQDJZHIR5UUASDLGQDV3YILWDOSU3/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:0607-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SJ5CQDJZHIR5UUASDLGQDV3YILWDOSU3/"
},
{
"category": "self",
"summary": "SUSE Bug 1072697",
"url": "https://bugzilla.suse.com/1072697"
},
{
"category": "self",
"summary": "SUSE Bug 1100694",
"url": "https://bugzilla.suse.com/1100694"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-13098 page",
"url": "https://www.suse.com/security/cve/CVE-2017-13098/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-1000613 page",
"url": "https://www.suse.com/security/cve/CVE-2018-1000613/"
}
],
"title": "Security update for bouncycastle",
"tracking": {
"current_release_date": "2020-05-03T16:19:33Z",
"generator": {
"date": "2020-05-03T16:19:33Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:0607-1",
"initial_release_date": "2020-05-03T16:19:33Z",
"revision_history": [
{
"date": "2020-05-03T16:19:33Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "bouncycastle-1.60-lp151.3.3.1.noarch",
"product": {
"name": "bouncycastle-1.60-lp151.3.3.1.noarch",
"product_id": "bouncycastle-1.60-lp151.3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "bouncycastle-javadoc-1.60-lp151.3.3.1.noarch",
"product": {
"name": "bouncycastle-javadoc-1.60-lp151.3.3.1.noarch",
"product_id": "bouncycastle-javadoc-1.60-lp151.3.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-1.60-lp151.3.3.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:bouncycastle-1.60-lp151.3.3.1.noarch"
},
"product_reference": "bouncycastle-1.60-lp151.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bouncycastle-javadoc-1.60-lp151.3.3.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:bouncycastle-javadoc-1.60-lp151.3.3.1.noarch"
},
"product_reference": "bouncycastle-javadoc-1.60-lp151.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-13098",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-13098"
}
],
"notes": [
{
"category": "general",
"text": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\"",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:bouncycastle-1.60-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:bouncycastle-javadoc-1.60-lp151.3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-13098",
"url": "https://www.suse.com/security/cve/CVE-2017-13098"
},
{
"category": "external",
"summary": "SUSE Bug 1072697 for CVE-2017-13098",
"url": "https://bugzilla.suse.com/1072697"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:bouncycastle-1.60-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:bouncycastle-javadoc-1.60-lp151.3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:bouncycastle-1.60-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:bouncycastle-javadoc-1.60-lp151.3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-05-03T16:19:33Z",
"details": "low"
}
],
"title": "CVE-2017-13098"
},
{
"cve": "CVE-2018-1000613",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-1000613"
}
],
"notes": [
{
"category": "general",
"text": "Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:bouncycastle-1.60-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:bouncycastle-javadoc-1.60-lp151.3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-1000613",
"url": "https://www.suse.com/security/cve/CVE-2018-1000613"
},
{
"category": "external",
"summary": "SUSE Bug 1096291 for CVE-2018-1000613",
"url": "https://bugzilla.suse.com/1096291"
},
{
"category": "external",
"summary": "SUSE Bug 1100694 for CVE-2018-1000613",
"url": "https://bugzilla.suse.com/1100694"
},
{
"category": "external",
"summary": "SUSE Bug 1153385 for CVE-2018-1000613",
"url": "https://bugzilla.suse.com/1153385"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:bouncycastle-1.60-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:bouncycastle-javadoc-1.60-lp151.3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:bouncycastle-1.60-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:bouncycastle-javadoc-1.60-lp151.3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-05-03T16:19:33Z",
"details": "moderate"
}
],
"title": "CVE-2018-1000613"
}
]
}
cnvd-2018-00599
Vulnerability from cnvd
Title
Legion of the Bouncy Castle TLS信息泄露漏洞
Description
Legion of the Bouncy Castle是澳大利亚Legion of the Bouncy Castle公司的一个用于Java平台的开源的轻量级密码包。TLS是其中的一个安全传输层协议。
Legion of the Bouncy Castle TLS 1.0.3之前的版本中存在信息泄露漏洞,该漏洞源于程序对加密函数使用了JCE(Java加密扩展)。攻击者可利用该漏洞从受影响的应用程序中找回密钥。
Severity
中
VLAI Severity ?
Patch Name
Legion of the Bouncy Castle TLS信息泄露漏洞的补丁
Patch Description
Legion of the Bouncy Castle是澳大利亚Legion of the Bouncy Castle公司的一个用于Java平台的开源的轻量级密码包。TLS是其中的一个安全传输层协议。
Legion of the Bouncy Castle TLS 1.0.3之前的版本中存在信息泄露漏洞,该漏洞源于程序对加密函数使用了JCE(Java加密扩展)。攻击者可利用该漏洞从受影响的应用程序中找回密钥。 目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
Reference
http://www.kb.cert.org/vuls/id/144389
https://www.securityfocus.com/bid/102195
Impacted products
| Name | Legion of the Bouncy Castle Legion of the Bouncy Castle TLS <1.0.3 |
|---|
{
"bids": {
"bid": {
"bidNumber": "102195"
}
},
"cves": {
"cve": {
"cveNumber": "CVE-2017-13098"
}
},
"description": "Legion of the Bouncy Castle\u662f\u6fb3\u5927\u5229\u4e9aLegion of the Bouncy Castle\u516c\u53f8\u7684\u4e00\u4e2a\u7528\u4e8eJava\u5e73\u53f0\u7684\u5f00\u6e90\u7684\u8f7b\u91cf\u7ea7\u5bc6\u7801\u5305\u3002TLS\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5b89\u5168\u4f20\u8f93\u5c42\u534f\u8bae\u3002\r\n\r\nLegion of the Bouncy Castle TLS 1.0.3\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5bf9\u52a0\u5bc6\u51fd\u6570\u4f7f\u7528\u4e86JCE\uff08Java\u52a0\u5bc6\u6269\u5c55\uff09\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ece\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u4e2d\u627e\u56de\u5bc6\u94a5\u3002",
"discovererName": "Hanno B\u00c3\u00b6ck, Juraj Somorovsky of Ruhr-Universit\u00c3\u00a4t Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2018-00599",
"openTime": "2018-01-09",
"patchDescription": "Legion of the Bouncy Castle\u662f\u6fb3\u5927\u5229\u4e9aLegion of the Bouncy Castle\u516c\u53f8\u7684\u4e00\u4e2a\u7528\u4e8eJava\u5e73\u53f0\u7684\u5f00\u6e90\u7684\u8f7b\u91cf\u7ea7\u5bc6\u7801\u5305\u3002TLS\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5b89\u5168\u4f20\u8f93\u5c42\u534f\u8bae\u3002\r\n\r\nLegion of the Bouncy Castle TLS 1.0.3\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5bf9\u52a0\u5bc6\u51fd\u6570\u4f7f\u7528\u4e86JCE\uff08Java\u52a0\u5bc6\u6269\u5c55\uff09\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ece\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u4e2d\u627e\u56de\u5bc6\u94a5\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Legion of the Bouncy Castle TLS\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Legion of the Bouncy Castle Legion of the Bouncy Castle TLS \u003c1.0.3"
},
"referenceLink": "http://www.kb.cert.org/vuls/id/144389\r\nhttps://www.securityfocus.com/bid/102195",
"serverity": "\u4e2d",
"submitTime": "2017-12-15",
"title": "Legion of the Bouncy Castle TLS\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}
gsd-2017-13098
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2017-13098",
"description": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\"",
"id": "GSD-2017-13098",
"references": [
"https://www.suse.com/security/cve/CVE-2017-13098.html",
"https://www.debian.org/security/2017/dsa-4072",
"https://advisories.mageia.org/CVE-2017-13098.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2017-13098"
],
"details": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\"",
"id": "GSD-2017-13098",
"modified": "2023-12-13T01:21:01.444640Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2017-12-12T00:00:00.000Z",
"ID": "CVE-2017-13098",
"STATE": "PUBLIC",
"TITLE": "BouncyCastle JCE TLS Bleichenbacher/ROBOT"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BouncyCastle TLS",
"version": {
"version_data": [
{
"platform": "all",
"version_value": "\u003c1.0.3"
}
]
}
}
]
},
"vendor_name": "Legion of the Bouncy Castle"
}
]
}
},
"credit": [
""
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\""
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-203"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "102195",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102195"
},
{
"name": "VU#144389",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/144389"
},
{
"name": "DSA-4072",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2017/dsa-4072"
},
{
"name": "openSUSE-SU-2020:0607",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://robotattack.org/",
"refsource": "MISC",
"url": "https://robotattack.org/"
},
{
"name": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c",
"refsource": "CONFIRM",
"url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c"
},
{
"name": "https://security.netapp.com/advisory/ntap-20171222-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20171222-0001/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,1.0.3)",
"affected_versions": "All versions before 1.0.3",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-203",
"CWE-937"
],
"date": "2022-07-01",
"description": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\"",
"fixed_versions": [
"1.0.3"
],
"identifier": "CVE-2017-13098",
"identifiers": [
"GHSA-wrwf-pmmj-w989",
"CVE-2017-13098"
],
"not_impacted": "All versions starting from 1.0.3",
"package_slug": "maven/org.bouncycastle/bcprov-jdk15on",
"pubdate": "2022-05-13",
"solution": "Upgrade to version 1.0.3 or above.",
"title": "Observable Discrepancy",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2017-13098",
"https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c",
"https://robotattack.org/",
"https://security.netapp.com/advisory/ntap-20171222-0001/",
"https://www.debian.org/security/2017/dsa-4072",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html",
"http://www.kb.cert.org/vuls/id/144389",
"https://github.com/advisories/GHSA-wrwf-pmmj-w989"
],
"uuid": "fff4b8c4-217b-4d2a-b140-10bdea37885a"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.59",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2017-13098"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://robotattack.org/",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://robotattack.org/"
},
{
"name": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c"
},
{
"name": "VU#144389",
"refsource": "CERT-VN",
"tags": [
"Issue Tracking",
"Mitigation",
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/144389"
},
{
"name": "102195",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102195"
},
{
"name": "DSA-4072",
"refsource": "DEBIAN",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2017/dsa-4072"
},
{
"name": "https://security.netapp.com/advisory/ntap-20171222-0001/",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20171222-0001/"
},
{
"name": "openSUSE-SU-2020:0607",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"tags": [],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-10-20T22:15Z",
"publishedDate": "2017-12-13T01:29Z"
}
}
}
CERTFR-2017-ALE-020
Vulnerability from certfr_alerte
[Mise à jour du 02/02/2018 : Ajout de l'avis de sécurité Aruba ARUBA-PSA-2018-002]
En 1998, le chercheur Daniel Bleichenbacher a découvert une vulnérabilité dans des implémentations du chiffrement RSA PKCS #1 v1.5 utilisé dans SSL.
Celle-ci permet une attaque à texte chiffré choisi. Après avoir passivement intercepté les communications entre un client et un serveur, un attaquant peut envoyer des requêtes mal formées à ce serveur, chiffrées avec la clé publique de celui-ci, dans le but d'obtenir des informations en fonction des messages d'erreurs reçus. Au bout d'un certain nombre de requêtes, l'attaquant est en mesure, sans deviner la clé privée, de récupérer la clé de session dans ses captures préalables et ainsi pouvoir déchiffrer les communications. Suivant les implémentations, ce nombre de requêtes varie de plusieurs dizaines de milliers à quelques millions. Cette attaque permet également de faire signer des messages arbitraires par le serveur.
Le 12 décembre 2017, des chercheurs ont publié leurs travaux sur cette vulnérabilité par le biais d'un site internet (cf. section Documentation) et d'un papier blanc (cf. section Documentation). En scannant internet, ils ont découvert que de nombreuses implémentations de piles TLS sont encore vulnérables, soit parce qu'elles n'ont pas été mises à jour, soit parce qu'il n'a pas été tenu compte des contre-mesures existantes.
Ces chercheurs estiment qu'une attaque de l'intercepteur actif (Mitm) est peu pratique à mettre en oeuvre à cause du temps requis pour récupérer la clé de session. En effet, celui-ci est de l'ordre de plusieurs secondes ; cela est suffisant pour une attaque hors ligne, mais trop long pour se placer discrètement dans une communication. Ils recommandent de désactiver le chiffrement RSA au profit de l'utilisation de l'algorithme de Diffie-Hellman en courbes elliptiques.
Le 30 janvier 2018, Aruba Networks a publié un avis de sécurité pour indiquer que les versions d'InstantOS antérieures à 6.5.4.6 étaient vulnérables (cf. section Documentation). La version 6.5.4.6 n'est cependant pas encore disponible et ne possède pas de date de sortie officielle.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Contournement provisoire
Le CERT-FR recommande l'utilisation des outils fournis par les chercheurs sur leur site (cf. section Documentation) afin de déterminer si des équipements sont vulnérables. D'un point de vue opérationnel, la désactivation du chiffrement RSA peut s'avérer compliquée. Il est aussi possible de surveiller les communications réseaux pour détecter des pics d'envois de messages erronés.
En cas de présence d'équipement vulnérable, les communications ne peuvent plus être considérées comme confidentielles. De même, on ne peut plus faire confiance aux messages signés par un serveur vulnérable.
Les chercheurs ont annoncé qu'ils disposaient d'une preuve de concept. Pour l'instant, celle-ci n'est pas disponible publiquement, mais ils ont annoncé qu'ils comptaient la publier après avoir laissé du temps supplémentaire aux constructeurs pour corriger cette faille.
Le CERT-FR recommande l'installation des correctifs dès que ceux-ci sont disponibles.
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Se r\u00e9f\u00e9rer \u00e0 la liste des produits affect\u00e9s sur le site du kd.cert.org (cf. section Documentation)",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
}
],
"affected_systems_content": null,
"closed_at": "2018-04-06",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n\n## Contournement provisoire\n\nLe CERT-FR recommande l\u0027utilisation des outils fournis par les\nchercheurs sur leur site (cf. section Documentation) afin de d\u00e9terminer\nsi des \u00e9quipements sont vuln\u00e9rables. D\u0027un point de vue op\u00e9rationnel, la\nd\u00e9sactivation du chiffrement RSA peut s\u0027av\u00e9rer compliqu\u00e9e. Il est aussi\npossible de surveiller les communications r\u00e9seaux pour d\u00e9tecter des pics\nd\u0027envois de messages erron\u00e9s.\n\nEn cas de pr\u00e9sence d\u0027\u00e9quipement vuln\u00e9rable, les communications ne\npeuvent plus \u00eatre consid\u00e9r\u00e9es comme confidentielles. De m\u00eame, on ne peut\nplus faire confiance aux messages sign\u00e9s par un serveur vuln\u00e9rable.\n\nLes chercheurs ont annonc\u00e9 qu\u0027ils disposaient d\u0027une preuve de concept.\nPour l\u0027instant, celle-ci n\u0027est pas disponible publiquement, mais ils ont\nannonc\u00e9 qu\u0027ils comptaient la publier apr\u00e8s avoir laiss\u00e9 du temps\nsuppl\u00e9mentaire aux constructeurs pour corriger cette faille.\n\nLe CERT-FR recommande l\u0027installation des correctifs d\u00e8s que ceux-ci sont\ndisponibles.\n",
"cves": [
{
"name": "CVE-2017-13099",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-13099"
},
{
"name": "CVE-2017-1000385",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-1000385"
},
{
"name": "CVE-2016-6883",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6883"
},
{
"name": "CVE-2017-17428",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17428"
},
{
"name": "CVE-2017-13098",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-13098"
},
{
"name": "CVE-2012-5081",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5081"
},
{
"name": "CVE-2017-6168",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-6168"
},
{
"name": "CVE-2017-17382",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17382"
},
{
"name": "CVE-2017-17427",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17427"
}
],
"initial_release_date": "2017-12-13T00:00:00",
"last_revision_date": "2018-04-06T00:00:00",
"links": [
{
"title": "Avis CERT-FR CERTFR-2017-AVI-463",
"url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2017-AVI-463/"
},
{
"title": "Return Of Bleichenbacher\u2019s Oracle Threat (ROBOT)",
"url": "https://eprint.iacr.org/2017/1189.pdf"
},
{
"title": "Liste \u00e9tendue de produits affect\u00e9s",
"url": "https://www.kb.cert.org/vuls/byvendor?searchview\u0026Query=FIELD+Reference=144389\u0026SearchOrder=4"
},
{
"title": "Avis de s\u00e9curit\u00e9 Aruba ARUBA-PSA-2018-002 du 30 janvier 2018",
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-002.txt"
},
{
"title": "Avis CERT-FR CERTFR-2017-AVI-462",
"url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2017-AVI-462/"
}
],
"reference": "CERTFR-2017-ALE-020",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2017-12-13T00:00:00.000000"
},
{
"description": "Ajout de l\u0027avis de s\u00e9curit\u00e9 Aruba ARUBA-PSA-2018-002",
"revision_date": "2018-02-02T00:00:00.000000"
},
{
"description": "Cl\u00f4ture de l\u0027alerte",
"revision_date": "2018-04-06T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "\\[Mise \u00e0 jour du 02/02/2018 : Ajout de l\u0027avis de s\u00e9curit\u00e9 Aruba\nARUBA-PSA-2018-002\\]\n\nEn 1998, le chercheur\u00a0Daniel Bleichenbacher a d\u00e9couvert une\nvuln\u00e9rabilit\u00e9 dans des impl\u00e9mentations du chiffrement RSA PKCS \\#1 v1.5\nutilis\u00e9 dans SSL.\n\nCelle-ci permet une attaque \u00e0 texte chiffr\u00e9 choisi. Apr\u00e8s avoir\npassivement intercept\u00e9 les communications entre un client et un serveur,\nun attaquant peut envoyer des requ\u00eates mal form\u00e9es \u00e0 ce serveur,\nchiffr\u00e9es avec la cl\u00e9 publique de celui-ci, dans le but d\u0027obtenir des\ninformations en fonction des messages d\u0027erreurs re\u00e7us. Au bout d\u0027un\ncertain nombre de requ\u00eates, l\u0027attaquant est en mesure, sans deviner la\ncl\u00e9 priv\u00e9e, de r\u00e9cup\u00e9rer la cl\u00e9 de session dans ses captures pr\u00e9alables\net ainsi pouvoir d\u00e9chiffrer les communications. Suivant les\nimpl\u00e9mentations, ce nombre de requ\u00eates varie de plusieurs dizaines de\nmilliers \u00e0 quelques millions. Cette attaque permet \u00e9galement de faire\nsigner des messages arbitraires par le serveur.\n\nLe 12 d\u00e9cembre 2017, des chercheurs ont publi\u00e9 leurs travaux sur cette\nvuln\u00e9rabilit\u00e9 par le biais d\u0027un site internet (cf. section\nDocumentation) et d\u0027un papier blanc (cf. section Documentation). En\nscannant internet, ils ont d\u00e9couvert que de nombreuses impl\u00e9mentations\nde piles TLS sont encore vuln\u00e9rables, soit parce qu\u0027elles n\u0027ont pas \u00e9t\u00e9\nmises \u00e0 jour, soit parce qu\u0027il n\u0027a pas \u00e9t\u00e9 tenu compte des\ncontre-mesures existantes.\n\nCes chercheurs estiment qu\u0027une attaque de l\u0027intercepteur actif (Mitm)\nest peu pratique \u00e0 mettre en oeuvre \u00e0 cause du temps requis pour\nr\u00e9cup\u00e9rer la cl\u00e9 de session. En effet, celui-ci est de l\u0027ordre de\nplusieurs secondes ; cela est suffisant pour une attaque hors ligne,\nmais trop long pour se placer discr\u00e8tement dans une communication. Ils\nrecommandent de d\u00e9sactiver le chiffrement RSA au profit de l\u0027utilisation\nde l\u0027algorithme de Diffie-Hellman en courbes elliptiques.\n\nLe 30 janvier 2018, Aruba Networks a publi\u00e9 un avis de s\u00e9curit\u00e9 pour\nindiquer que les versions d\u0027InstantOS ant\u00e9rieures \u00e0 6.5.4.6 \u00e9taient\nvuln\u00e9rables (cf. section Documentation). La version 6.5.4.6 n\u0027est\ncependant pas encore disponible et ne poss\u00e8de pas de date de sortie\nofficielle.\n\n\u00a0\n",
"title": "Vuln\u00e9rabilit\u00e9 dans des impl\u00e9mentations de TLS",
"vendor_advisories": [
{
"published_at": null,
"title": "robotattack.org",
"url": "https://robotattack.org/"
}
]
}
ghsa-wrwf-pmmj-w989
Vulnerability from github
Published
2022-05-13 01:14
Modified
2022-07-01 20:14
Severity ?
VLAI Severity ?
Summary
Observable Discrepancy in BouncyCastle
Details
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk15on"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-13098"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-01T20:14:25Z",
"nvd_published_at": "2017-12-13T01:29:00Z",
"severity": "MODERATE"
},
"details": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\"",
"id": "GHSA-wrwf-pmmj-w989",
"modified": "2022-07-01T20:14:25Z",
"published": "2022-05-13T01:14:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13098"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c"
},
{
"type": "PACKAGE",
"url": "https://github.com/bcgit/bc-java"
},
{
"type": "WEB",
"url": "https://robotattack.org"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20171222-0001"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4072"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/144389"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Observable Discrepancy in BouncyCastle"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…