Bug 1276272 (CVE-2015-7940)
Summary: | CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NEXTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, bkearney, cbillett, chazlett, cpelland, hghasemb, jshepherd, katello-bugs, kseifried, langel, mmccune, msrb, ohadlevy, steve.traylen, tjay, tlestach, tomckay |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | bouncycastle 1.51 | Doc Type: | Bug Fix |
Doc Text: |
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-05-16 23:29:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1277404, 1277405 | ||
Bug Blocks: | 1276274, 1379523, 1381801 |
Description
Adam Mariš
2015-10-29 10:15:57 UTC
Seem affected only in Fedora 21 and 22 (1.50). For Fedora 23 and 24 use bouncycastle 1.52. Subscription Asset Manager and Satellite 6 both use Candlepin which in turn uses Bouncecastle for X.509 certificate handling. As such they are not really vulnerable to attack so changing to WONTFIX. Created bouncycastle tracking bugs for this issue: Affects: fedora-all [bug 1277404] Affects: epel-all [bug 1277405] bouncycastle-1.50-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. Version 6.3 of Red Hat JBoss A-MQ, and Red Hat JBoss Fuse will upgrade to the JClouds and Bouncy Castle to an non-affected version 1.54 This issue has been addressed in the following products: Red Hat JBoss A-MQ 6.3 Via RHSA-2016:2036 https://rhn.redhat.com/errata/RHSA-2016-2036.html This issue has been addressed in the following products: Red Hat JBoss Fuse 6.3 Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html |