Legion of the Bouncy Castle Information for VU#144389
TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding
- Vendor Information Help Date Notified: 15 Nov 2017
- Statement Date: 12 Dec 2017
- Date Updated: 12 Dec 2017
Status
Affected
Vendor Statement
BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, contained a weak
Bleichenbacher oracle when any TLS cipher suite using RSA key exchange
was negotiated. This specifically includes servers using the BCJSSE
provider in its default configuration.
Affected software:
bctls-fips-1.0.2.jar and earlier versions
bctls-jdk15on-1.58.jar and earlier versions
Note that the older TLS implementation (in the
org.bouncycastle.crypto.tls package) is not vulnerable.
For FIPS users, the issue is fixed in
bctls-fips-1.0.3.jar
We recommend all FIPS users upgrade as soon as possible.
For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available from
https://downloads.bouncycastle.org/betas/ . We recommend users upgrade
immediately to
bctls-jdk15on-159b09.jar
and then upgrade to the full 1.59 release as soon as it is available. If
continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.
Vendor Information
CVE-2017-13098 was assigned to BouncyCastle.
Vendor References
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.