Legion of the Bouncy Castle Information for VU#144389
TLS implementations may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding
- Vendor Information Help Date Notified: 15 Nov 2017
- Statement Date: 12 Dec 2017
- Date Updated: 12 Dec 2017
BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, contained a weak
Bleichenbacher oracle when any TLS cipher suite using RSA key exchange
was negotiated. This specifically includes servers using the BCJSSE
provider in its default configuration.
bctls-fips-1.0.2.jar and earlier versions
bctls-jdk15on-1.58.jar and earlier versions
Note that the older TLS implementation (in the
org.bouncycastle.crypto.tls package) is not vulnerable.
For FIPS users, the issue is fixed in
We recommend all FIPS users upgrade as soon as possible.
For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available from
https://downloads.bouncycastle.org/betas/ . We recommend users upgrade
and then upgrade to the full 1.59 release as soon as it is available. If
continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.
CVE-2017-13098 was assigned to BouncyCastle.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.