Plataforma
java
Componente
org.bouncycastle:bcprov-jdk14
Corregido en
1.56
CVE-2016-1000346 is a security vulnerability affecting the Bouncy Castle JCE Provider, specifically impacting versions up to 1.55. This flaw stems from inadequate validation of the other party's Diffie-Hellman (DH) public key. Exploitation could potentially lead to the exposure of sensitive information related to the other party's private key, particularly in static Diffie-Hellman implementations. A fix was released in version 1.56.
The core of this vulnerability lies in the insufficient validation of the DH public key received during key exchange. An attacker could craft a malicious public key that, when processed by the Bouncy Castle provider, would reveal details about the legitimate party's private key. This is particularly concerning in static Diffie-Hellman scenarios, where the same key pair is used repeatedly, increasing the window of opportunity for an attacker. While the impact isn't immediate remote code execution, the compromise of a private key can have far-reaching consequences, potentially enabling decryption of past communications and impersonation of the affected party. The risk is amplified in environments where Bouncy Castle is used for secure communication protocols like TLS/SSL.
CVE-2016-1000346 was publicly disclosed in October 2018. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a relatively low probability of exploitation, but the potential for key compromise remains a concern, especially in legacy systems still using vulnerable versions of Bouncy Castle.
Applications and systems relying on the Bouncy Castle JCE Provider for cryptographic operations, particularly those utilizing static Diffie-Hellman key exchange, are at risk. Legacy systems and applications that have not been updated regularly are especially vulnerable. Any environment where the confidentiality of private keys is critical is also at increased risk.
• java / application:
find / -name "bcprov-jdk14-*.jar" -mtime +30 # Find older JAR files• java / application:
// Check Bouncy Castle version at runtime
java -jar your_application.jar -Dbc.version=$(java -Djava.security.properties=/path/to/java.security -cp bcprov-jdk14-1.55.jar org.bouncycastle.version.Version) • java / application: Monitor application logs for unusual key exchange errors or warnings related to DH parameters.
disclosure
Estado del Exploit
EPSS
0.96% (76% percentil)
Vector CVSS
The primary mitigation for CVE-2016-1000346 is to upgrade to Bouncy Castle JCE Provider version 1.56 or later. This version includes the necessary key parameter checks to prevent the vulnerability. If an immediate upgrade is not feasible due to compatibility issues, consider implementing stricter key validation routines within your application code to supplement the provider's validation. While not a direct replacement, this can provide an additional layer of defense. Review your application's use of static Diffie-Hellman and consider migrating to more secure key exchange mechanisms where possible. After upgrading, confirm the fix by performing a key exchange test and verifying that the key parameters are correctly validated.
Sin parche oficial disponible. Busca alternativas o monitorea actualizaciones.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2016-1000346 is a vulnerability in Bouncy Castle JCE Provider versions up to 1.55 where insufficient validation of DH public keys can lead to private key compromise.
You are affected if you are using Bouncy Castle JCE Provider version 1.55 or earlier. Check your dependencies to determine if you are using a vulnerable version.
Upgrade to Bouncy Castle JCE Provider version 1.56 or later to address the vulnerability. This version includes improved key parameter validation.
There is no current evidence of active exploitation campaigns targeting CVE-2016-1000346, but the potential for key compromise remains a concern.
Refer to the Bouncy Castle security advisories on their official website: https://www.bouncycastle.org/security/.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo pom.xml y te decimos al instante si estás afectado.