Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. Upstream Issue: https://www.bouncycastle.org/jira/browse/BJA-694 Upstream Commits: https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55ad https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839
Created bouncycastle tracking bugs for this issue: Affects: epel-all [bug 1588307] Affects: fedora-all [bug 1588308]
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2425
This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.4 zip Via RHSA-2018:2428 https://access.redhat.com/errata/RHSA-2018:2428
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2423
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2424
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:0877
Statement: This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Red Hat Satellite 6.5 isn't vulnerable to this issue, since it doesn't ship bouncycastle jar file anymore.
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.