Platform
java
Component
org.bouncycastle:bcprov-jdk14
Fixed in
1.56
CVE-2016-1000346 is a security vulnerability affecting the Bouncy Castle JCE Provider, specifically impacting versions up to 1.55. This flaw stems from inadequate validation of the other party's Diffie-Hellman (DH) public key. Exploitation could potentially lead to the exposure of sensitive information related to the other party's private key, particularly in static Diffie-Hellman implementations. A fix was released in version 1.56.
The core of this vulnerability lies in the insufficient validation of the DH public key received during key exchange. An attacker could craft a malicious public key that, when processed by the Bouncy Castle provider, would reveal details about the legitimate party's private key. This is particularly concerning in static Diffie-Hellman scenarios, where the same key pair is used repeatedly, increasing the window of opportunity for an attacker. While the impact isn't immediate remote code execution, the compromise of a private key can have far-reaching consequences, potentially enabling decryption of past communications and impersonation of the affected party. The risk is amplified in environments where Bouncy Castle is used for secure communication protocols like TLS/SSL.
CVE-2016-1000346 was publicly disclosed in October 2018. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a relatively low probability of exploitation, but the potential for key compromise remains a concern, especially in legacy systems still using vulnerable versions of Bouncy Castle.
Exploit Status
EPSS
0.96% (76% percentile)
CVSS Vector
The primary mitigation for CVE-2016-1000346 is to upgrade to Bouncy Castle JCE Provider version 1.56 or later. This version includes the necessary key parameter checks to prevent the vulnerability. If an immediate upgrade is not feasible due to compatibility issues, consider implementing stricter key validation routines within your application code to supplement the provider's validation. While not a direct replacement, this can provide an additional layer of defense. Review your application's use of static Diffie-Hellman and consider migrating to more secure key exchange mechanisms where possible. After upgrading, confirm the fix by performing a key exchange test and verifying that the key parameters are correctly validated.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2016-1000346 is a vulnerability in Bouncy Castle JCE Provider versions up to 1.55 where insufficient validation of DH public keys can lead to private key compromise.
You are affected if you are using Bouncy Castle JCE Provider version 1.55 or earlier. Check your dependencies to determine if you are using a vulnerable version.
Upgrade to Bouncy Castle JCE Provider version 1.56 or later to address the vulnerability. This version includes improved key parameter validation.
There is no current evidence of active exploitation campaigns targeting CVE-2016-1000346, but the potential for key compromise remains a concern.
Refer to the Bouncy Castle security advisories on their official website: https://www.bouncycastle.org/security/.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.