Bug 1276272 (CVE-2015-7940) - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys
Summary: CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private ...
Status: CLOSED NEXTRELEASE
Alias: CVE-2015-7940
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150914,repor...
Keywords: Security
Depends On: 1277405 1277404
Blocks: 1276274 1379523 1381801
TreeView+ depends on / blocked
 
Reported: 2015-10-29 10:15 UTC by Adam Mariš
Modified: 2019-06-08 20:49 UTC (History)
17 users (show)

(edit)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.
Clone Of:
(edit)
Last Closed: 2016-05-16 23:29:50 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2035 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.3 security update 2016-10-06 20:18:07 UTC
Red Hat Product Errata RHSA-2016:2036 normal SHIPPED_LIVE Important: Red Hat JBoss A-MQ 6.3 security update 2016-10-06 20:18:02 UTC

Description Adam Mariš 2015-10-29 10:15:57 UTC
A vulnerability in bouncycastle implementation was found, allowing to perform invalid curve attack. The attack allows to extract private keys used in elliptic curve cryptography with a few thousand queries.

Upstream patches:

https://github.com/bcgit/bc-java/commit/5cb2f0578e6ec8f0d67e59d05d8c4704d8e05f83
https://github.com/bcgit/bc-java/commit/e25e94a046a6934819133886439984e2fecb2b04

CVE assignment:

http://seclists.org/oss-sec/2015/q4/131

Detailed info about the attack:

http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html

Comment 1 gil cattaneo 2015-10-29 10:46:12 UTC
Seem affected only in Fedora 21 and 22 (1.50).
For Fedora 23 and 24 use bouncycastle 1.52.

Comment 2 Kurt Seifried 2015-10-30 00:43:13 UTC
Subscription Asset Manager and Satellite 6 both use Candlepin which in turn uses Bouncecastle for X.509 certificate handling. As such they are not really vulnerable to attack so changing to WONTFIX.

Comment 3 Adam Mariš 2015-11-03 09:23:57 UTC
Created bouncycastle tracking bugs for this issue:

Affects: fedora-all [bug 1277404]
Affects: epel-all [bug 1277405]

Comment 4 Fedora Update System 2016-01-04 19:51:03 UTC
bouncycastle-1.50-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Jason Shepherd 2016-05-16 23:28:58 UTC
Version 6.3 of Red Hat JBoss A-MQ, and Red Hat JBoss Fuse will upgrade to the JClouds and Bouncy Castle to an non-affected version 1.54

Comment 6 errata-xmlrpc 2016-10-06 16:18:43 UTC
This issue has been addressed in the following products:

  Red Hat JBoss A-MQ 6.3

Via RHSA-2016:2036 https://rhn.redhat.com/errata/RHSA-2016-2036.html

Comment 7 errata-xmlrpc 2016-10-06 16:19:27 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html


Note You need to log in before you can comment on or make changes to this bug.