Bug 1276272 (CVE-2015-7940)

Summary: CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, bkearney, cbillett, chazlett, cpelland, hghasemb, jshepherd, katello-bugs, kseifried, langel, mmccune, msrb, ohadlevy, steve.traylen, tjay, tlestach, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bouncycastle 1.51 Doc Type: Bug Fix
Doc Text:
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-16 23:29:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1277404, 1277405    
Bug Blocks: 1276274, 1379523, 1381801    

Description Adam Mariš 2015-10-29 10:15:57 UTC 
A vulnerability in bouncycastle implementation was found, allowing to perform invalid curve attack. The attack allows to extract private keys used in elliptic curve cryptography with a few thousand queries.

Upstream patches:

https://github.com/bcgit/bc-java/commit/5cb2f0578e6ec8f0d67e59d05d8c4704d8e05f83
https://github.com/bcgit/bc-java/commit/e25e94a046a6934819133886439984e2fecb2b04

CVE assignment:

http://seclists.org/oss-sec/2015/q4/131

Detailed info about the attack:

http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html
Comment 1 gil cattaneo 2015-10-29 10:46:12 UTC 
Seem affected only in Fedora 21 and 22 (1.50).
For Fedora 23 and 24 use bouncycastle 1.52.
Comment 2 Kurt Seifried 2015-10-30 00:43:13 UTC 
Subscription Asset Manager and Satellite 6 both use Candlepin which in turn uses Bouncecastle for X.509 certificate handling. As such they are not really vulnerable to attack so changing to WONTFIX.
Comment 3 Adam Mariš 2015-11-03 09:23:57 UTC 
Created bouncycastle tracking bugs for this issue:

Affects: fedora-all [bug 1277404]
Affects: epel-all [bug 1277405]
Comment 4 Fedora Update System 2016-01-04 19:51:03 UTC 
bouncycastle-1.50-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Jason Shepherd 2016-05-16 23:28:58 UTC 
Version 6.3 of Red Hat JBoss A-MQ, and Red Hat JBoss Fuse will upgrade to the JClouds and Bouncy Castle to an non-affected version 1.54
Comment 6 errata-xmlrpc 2016-10-06 16:18:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss A-MQ 6.3

Via RHSA-2016:2036 https://rhn.redhat.com/errata/RHSA-2016-2036.html
Comment 7 errata-xmlrpc 2016-10-06 16:19:27 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html