Bug 1444015 (CVE-2015-6644)

Summary: CVE-2015-6644 bouncycastle: Information disclosure in GCMBlockCipher
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, bcourt, bkearney, bmaxwell, cbillett, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dosoudil, jawilson, jmatthew, jshepherd, langel, lgao, mmccune, mstead, myarboro, ohadlevy, pgier, psakar, pslavice, psotirop, puntogil, rnetuka, rsvoboda, tlestach, tomckay, tsanders, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20160101,reported=20170412,source=bugtraq,cvss3=5.5/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N,cwe=CWE-200,fedora-24/bouncycastle=affected,fedora-25/bouncycastle=notaffected,epel-all/bouncycastle=affected,rhn_satellite_6/bouncycastle=affected,sam-1/bouncycastle=wontfix,fuse-6/fabric8=affected,amq-6/fabric8=affected,eap-7/bouncycastle=affected
Fixed In Version: bouncycastle 1.56 Doc Type: If docs needed, set a value
Doc Text:
It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:10:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1444025, 1444024, 1471348, 1545363    
Bug Blocks: 1444031, 1493931    

Description Andrej Nemec 2017-04-20 12:34:54 UTC
An information disclosure vulnerability in Bouncy Castle could enable a local malicious application to gain access to user’s private information.

Upstream bug:

https://github.com/bcgit/bc-java/issues/177

References:

https://source.android.com/security/bulletin/2016-01-01#information_disclosure_vulnerability_in_bouncy_castle

Comment 1 Andrej Nemec 2017-04-20 12:52:36 UTC
Created bouncycastle tracking bugs for this issue:

Affects: epel-all [bug 1444025]
Affects: fedora-24 [bug 1444024]

Comment 3 Hooman Broujerdi 2017-04-28 06:22:12 UTC
JBoss fuse ships bouncycastle version 1.54 in fabric8, camel and karaf container. 
To have the fix for this particular CVE users should update to version 1.56 or later.

Comment 6 errata-xmlrpc 2017-08-10 23:04:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832

Comment 7 errata-xmlrpc 2017-09-26 17:59:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0.8

Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810

Comment 8 errata-xmlrpc 2017-09-26 18:42:06 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808

Comment 9 errata-xmlrpc 2017-09-26 18:54:20 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809

Comment 10 errata-xmlrpc 2017-09-26 19:15:40 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811

Comment 15 errata-xmlrpc 2018-10-16 15:19:25 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927