Legion of the Bouncy Castle Information for VU#144389

TLS implementations may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding

Status

Affected

Vendor Statement

BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, contained a weak
Bleichenbacher oracle when any TLS cipher suite using RSA key exchange
was negotiated. This specifically includes servers using the BCJSSE
provider in its default configuration.

Affected software:
bctls-fips-1.0.2.jar and earlier versions
bctls-jdk15on-1.58.jar and earlier versions

Note that the older TLS implementation (in the
org.bouncycastle.crypto.tls package) is not vulnerable.

For FIPS users, the issue is fixed in
bctls-fips-1.0.3.jar

We recommend all FIPS users upgrade as soon as possible.

For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available from
https://downloads.bouncycastle.org/betas/ . We recommend users upgrade
immediately to
bctls-jdk15on-159b09.jar

and then upgrade to the full 1.59 release as soon as it is available. If
continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.

Vendor Information

CVE-2017-13098 was assigned to BouncyCastle.

Vendor References

https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.