CVE-2016-1000338 – bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data
https://notcve.org/view.php?id=CVE-2016-1000338
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure. En Bouncy Castle JCE Provider en versiones 1.55 y anteriores, el DSA no valida completamente el cifrado ASN.1 de la firma en verificación. Es posible inyectar elementos extra en la secuencia que forma la firma y, aún así, validarla. En algunos casos, esto podría permitir la introducción de datos "invisibles" en una estructura firmada. • https://access.redhat.com/errata/RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2927 https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0 https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html https://security.netapp.com/advisory/ntap-20231006-0011 https://usn.ubuntu.com/3727-1 https://www.oracle.com/secur • CWE-325: Missing Cryptographic Step CWE-347: Improper Verification of Cryptographic Signature •
CVE-2017-13098 – BouncyCastle JCE TLS Bleichenbacher/ROBOT
https://notcve.org/view.php?id=CVE-2017-13098
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT." BouncyCastle TLS, en versiones anteriores a la 1.0.3 cuando está configurado para utilizar la JCE (Java Cryptography Extension) para funciones criptográficas, proporciona un oráculo de Bleichenbacher débil cuando se negocia una suite de cifrado TLS que utiliza un intercambio de claves RSA. Un atacante puede recuperar la clave privada desde una aplicación vulnerable. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html http://www.kb.cert.org/vuls/id/144389 http://www.securityfocus.com/bid/102195 https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c https://robotattack.org https://security.netapp.com/advisory/ntap-20171222-0001 https://www.debian.org/security/2017/dsa-4072 https://www.oracle.com/security-alerts/cpuoct2020.html • CWE-203: Observable Discrepancy •
CVE-2016-2427
https://notcve.org/view.php?id=CVE-2016-2427
The AES-GCM specification in RFC 5084, as used in Android 5.x and 6.x, recommends 12 octets for the aes-ICVlen parameter field, which might make it easier for attackers to defeat a cryptographic protection mechanism and discover an authentication key via a crafted application, aka internal bug 26234568. NOTE: The vendor disputes the existence of this potential issue in Android, stating "This CVE was raised in error: it referred to the authentication tag size in GCM, whose default according to ASN.1 encoding (12 bytes) can lead to vulnerabilities. After careful consideration, it was decided that the insecure default value of 12 bytes was a default only for the encoding and not default anywhere else in Android, and hence no vulnerability existed. **DISPUTADA** La especificación AES-GCM en RFC 5084,como es utilizado en Android 5.x y 6.x, recomienda 12 octetos para el campo de parámetro aes-ICVlen, lo que podría facilitar a atacantes derrotar el mecanismo de protección criptográfico y descubrir una clave de autenticación a través de una aplicación manipulada, también conocido como error interno 26234568. NOTA: El vendedor disputa la existencia de este potencial problema en Android, indicando que "Esta CVE fue levantada por error: se refería al tamaño de la etiqueta de autenticación en GCM, cuyo defecto de acuerdo con la codificación ASN.1 (12 bytes) puede llevar a vulnerabilidades. • http://source.android.com/security/bulletin/2016-04-02.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •