Bug 1588721 (CVE-2016-1000343)

Summary: CVE-2016-1000343 bouncycastle: DSA key pair generator generates a weak private key by default
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: avibelli, bcourt, bgeorges, bkearney, bmaxwell, bmcclain, cbillett, cdewolf, chazlett, csutherl, darran.lofthouse, dblechte, dimitris, dosoudil, drieden, eedri, hhorak, jawilson, jbalunas, jjohnstn, jmatthew, jolee, jorton, jpallich, jschatte, jshepherd, jstastny, krathod, lgao, lthon, mgoldboi, michal.skrivanek, mmccune, mrike, mszynkie, myarboro, ohadlevy, pdrozd, pgallagh, pgier, psakar, pslavice, psotirop, puntogil, rchan, rgrunber, rnetuka, rruss, rsvoboda, sbonazzo, sherold, steve.traylen, sthorger, tomckay, trogers, tsanders, twalsh, vhalbert, vtunka, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bouncycastle 1.56 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:27:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1588723, 1588724, 1588725, 1589584, 1589585, 1592662    
Bug Blocks: 1588310    

Description Pedro Sampaio 2018-06-07 18:32:31 UTC
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair
generator generates a weak private key if used with default values. If the JCA
key pair generator is not explicitly initialised with DSA parameters, 1.55 and
earlier generates a private value assuming a 1024 bit key size. In earlier
releases this can be dealt with by explicitly passing parameters to the key pair
generator.

Upstream patch:

https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389#diff-5578e61500abb2b87b300d3114bdfd7d

Comment 1 Pedro Sampaio 2018-06-07 18:33:42 UTC
Created bouncycastle tracking bugs for this issue:

Affects: epel-all [bug 1588724]
Affects: fedora-all [bug 1588723]

Comment 3 Mat Booth 2018-06-07 20:13:55 UTC
(In reply to Pedro Sampaio from comment #1)
> Affects: fedora-all [bug 1588723]

Fedora already carries bouncycastle newer than 1.56, so I will close this bug.

Comment 6 Kurt Seifried 2018-06-10 20:29:44 UTC
Statement:

This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Low. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 8 errata-xmlrpc 2018-09-11 07:57:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669

Comment 9 errata-xmlrpc 2018-10-16 15:25:47 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927