|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Bouncy Castle, Oracle Java: disclosure of elliptic curve private keys
Synthesis of the vulnerability
An attacker can use a vulnerability in the elliptic curve implementation of Bouncy Castle and Oracle Java, in order to obtain sensitive information.
Vulnerable products: Bouncy Castle JCE, DCFM Enterprise, FabricOS, Brocade Network Advisor, Brocade vTM, Debian, Fedora, IRAD, WebSphere MQ, Juniper SBR, Mule ESB, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Server, Java Oracle, JavaFX, Oracle OIT, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Ubuntu.
Severity of this weakness: 3/4.
Consequences of an attack: data reading.
Hacker's origin: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/10/2015.
Références of this bulletin: 1968485, 1972455, 9010041, 9010044, BSA-2016-002, CERTFR-2019-AVI-325, cpuapr2018, cpujan2017, cpujan2018, cpujan2019, cpujul2015, cpujul2017, cpujul2018, cpuoct2017, CVE-2015-2613, CVE-2015-7940, DSA-3417-1, FEDORA-2015-7d95466eda, JSA10939, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1911-1, RHSA-2016:2035-01, RHSA-2016:2036-01, USN-3727-1, VIGILANCE-VUL-18168.
Description of the vulnerability
The Bouncy Castle and Oracle Java products implement algorithms based on elliptic curves.
However, if the client forces the server to compute a common secret based on points located outside the chosen curve, he can progressively guess the full server key.
An attacker can therefore use a vulnerability in the elliptic curve implementation of Bouncy Castle and Oracle Java, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides application vulnerability analysis. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.