Bug 1588306 (CVE-2018-1000180) - CVE-2018-1000180 bouncycastle: flaw in the low-level interface to RSA key pair generator
Summary: CVE-2018-1000180 bouncycastle: flaw in the low-level interface to RSA key pai...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1000180
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180418,repor...
Depends On: 1588307 1588308 1588309 1589564 1589565 1592655 1592662
Blocks: 1588310
TreeView+ depends on / blocked
 
Reported: 2018-06-07 05:11 UTC by Sam Fowler
Modified: 2019-06-27 04:32 UTC (History)
63 users (show)

Fixed In Version: bouncycastle 1.60beta4
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in BouncyCastle. The number of iterations of the Miller-Rabin primality test was incorrectly calculated (according to FIPS 186-4 C.3). Under some circumstances, this could lead to the generation of weak RSA key pairs.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:27:25 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2423 None None None 2018-08-15 11:31:33 UTC
Red Hat Product Errata RHSA-2018:2424 None None None 2018-08-15 11:33:25 UTC
Red Hat Product Errata RHSA-2018:2425 None None None 2018-08-15 11:20:37 UTC
Red Hat Product Errata RHSA-2018:2428 None None None 2018-08-15 11:30:22 UTC
Red Hat Product Errata RHSA-2018:2643 None None None 2018-09-04 13:46:10 UTC
Red Hat Product Errata RHSA-2018:2669 None None None 2018-09-11 07:56:01 UTC
Red Hat Product Errata RHSA-2019:0877 None None None 2019-04-24 18:46:47 UTC

Description Sam Fowler 2018-06-07 05:11:22 UTC
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.


Upstream Issue:

https://www.bouncycastle.org/jira/browse/BJA-694


Upstream Commits:

https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55ad
https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839

Comment 1 Sam Fowler 2018-06-07 05:12:18 UTC
Created bouncycastle tracking bugs for this issue:

Affects: epel-all [bug 1588307]
Affects: fedora-all [bug 1588308]

Comment 9 errata-xmlrpc 2018-08-15 11:20:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2425

Comment 10 errata-xmlrpc 2018-08-15 11:29:59 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.2.4 zip

Via RHSA-2018:2428 https://access.redhat.com/errata/RHSA-2018:2428

Comment 11 errata-xmlrpc 2018-08-15 11:31:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2423

Comment 12 errata-xmlrpc 2018-08-15 11:33:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2424

Comment 14 errata-xmlrpc 2018-09-04 13:45:50 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643

Comment 15 errata-xmlrpc 2018-09-11 07:55:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669

Comment 17 errata-xmlrpc 2019-04-24 18:46:44 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:0877

Comment 19 Richard Maciel Costa 2019-05-03 18:04:38 UTC
Statement:

This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Red Hat Satellite 6.5 isn't vulnerable to this issue, since it doesn't ship bouncycastle jar file anymore.

Comment 20 Joshua Padman 2019-05-15 22:42:21 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.


Note You need to log in before you can comment on or make changes to this bug.