Vulnerability CVE-2016-1000343
Published: 2018-06-04

Description:
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.

Type:

CWE-310

 (Cryptographic Issues)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Debian -> Debian linux 
Bouncycastle -> Legion-of-the-bouncy-castle-java-crytography-api 

 References:
https://access.redhat.com/errata/RHSA-2018:2669
https://access.redhat.com/errata/RHSA-2018:2927
https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389#diff-5578e61500abb2b87b300d3114bdfd7d
https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
https://security.netapp.com/advisory/ntap-20181127-0004/
https://usn.ubuntu.com/3727-1/
Copyright 2024, cxsecurity.com

 

Back to Top