Legion of the Bouncy Castle Information for VU#144389

TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding



Vendor Statement

BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, contained a weak
Bleichenbacher oracle when any TLS cipher suite using RSA key exchange
was negotiated. This specifically includes servers using the BCJSSE
provider in its default configuration.

Affected software:
bctls-fips-1.0.2.jar and earlier versions
bctls-jdk15on-1.58.jar and earlier versions

Note that the older TLS implementation (in the
org.bouncycastle.crypto.tls package) is not vulnerable.

For FIPS users, the issue is fixed in

We recommend all FIPS users upgrade as soon as possible.

For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available from
https://downloads.bouncycastle.org/betas/ . We recommend users upgrade
immediately to

and then upgrade to the full 1.59 release as soon as it is available. If
continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.

Vendor Information

CVE-2017-13098 was assigned to BouncyCastle.

Vendor References



There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.