Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM725E32A9B6092E4AD63AD8E97B36AECDCE864C1BA681C18BE98CB3D51167C891
HistoryApr 16, 2021 - 3:46 p.m.

Security Bulletin: Multiple vulnerabilities in Bouncy Castle affects Apache Solr shipped with IBM Operations Analytics - Log Analysis

2021-04-1615:46:15
www.ibm.com
20

EPSS

0.006

Percentile

77.7%

JSON

Summary

There is various type of vulnerabilities in Bouncy Castle that affect Apache Solr. The list can be found at Vulnerability Details section.

Vulnerability Details

CVEID:CVE-2018-1000613
**DESCRIPTION:**Legion of the Bouncy Castle Java Cryptography APIs could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe reflection flaw in XMSS/XMSS^MT private key deserialization. By using specially-crafted private key, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148041 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2016-1000342
**DESCRIPTION:**Bouncy Castle JCE Provider could provide weaker than expected security, caused by improper validation of ASN.1 encoding of signature in the ECDSA. A remote attacker could exploit this vulnerability to launch further attacks.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151811 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2016-1000344
**DESCRIPTION:**Bouncy Castle JCE Provider could provide weaker than expected security, caused by a flaw in the DHIES implementation. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151809 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2016-1000345
**DESCRIPTION:**Bouncy Castle JCE Provider could provide weaker than expected security, caused by an environment where timings can be easily observed. A remote attacker could exploit this vulnerability to conduct a padding oracle attack.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151808 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2016-1000339
**DESCRIPTION:**Bouncy Castle JCE Provider could allow a remote attacker to obtain sensitive information, caused by a flaw in the AESEngine. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151814 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2016-1000346
**DESCRIPTION:**Bouncy Castle JCE Provider could allow a remote attacker to obtain sensitive information, caused by a flaw in the other party DH public key. A remote attacker could exploit this vulnerability to reveal details via invalid keys.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151807 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2016-1000338
**DESCRIPTION:**Bouncy Castle JCE Provider could provide weaker than expected security, caused by improper validation of ASN.1 encoding of signature in the DSA. A remote attacker could exploit this vulnerability to launch further attacks.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151815 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2016-1000343
**DESCRIPTION:**Bouncy Castle JCE Provider could provide weaker than expected security, caused by a flaw in the DSA key pair generator. A remote attacker could exploit this vulnerability to launch further attacks.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151810 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2016-1000340
**DESCRIPTION:**Bouncy Castle JCE Provider could provide weaker than expected security, caused by a carry propagation bug in the implementation of squaring for several raw math classes. A remote attacker could exploit this vulnerability to launch further attack.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151813 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2016-1000352
**DESCRIPTION:**Bouncy Castle JCE Provider could provide weaker than expected security, caused by a flaw in the ECIES implementation. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151806 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-6644
**DESCRIPTION:**Google Android could allow a local attacker to obtain sensitive information, caused by an error in Bouncy Castle. An attacker could exploit this vulnerability to obtain user’s private information.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/109449 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2016-1000341
**DESCRIPTION:**Bouncy Castle JCE Provider could provide weaker than expected security, caused by a flaw in the DSA signature generation. A remote attacker could exploit this vulnerability to launch timing attacks.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151812 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-1000180
**DESCRIPTION:**Bouncy Castle could provide weaker than expected security, caused by an error in the Low-level interface to RSA key pair generator. The RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/144810 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Log Analysis 1.3.1
Log Analysis 1.3.2
Log Analysis 1.3.3
Log Analysis 1.3.4
Log Analysis 1.3.5
Log Analysis 1.3.6

Remediation/Fixes

Principal Product and Version(s) : Fix details
IBM Operations Analytics - Log Analysis version 1.3.x

Upgrade to Log Analysis version 1.3.7

Download the 1.3.7-TIV-IOALA-FP here

Workarounds and Mitigations

None

Related

ibm 11
openvas 16
suse 5
nessus 23
mageia 1
debian 4
atlassian 2
osv 16
ubuntu 1
redhat 3
freebsd 1
fedora 4
veracode 13
ubuntucve 13
github 12
cvelist 13
redhatcve 9
nvd 13
debiancve 13
cve 13
prion 13
ibm
ibm
Security Bulletin: Bouncy Castle Vulnerabilities Affect IBM Sterling B2B Integrator
2021-10-06 14:43:44
Security Bulletin: Multiple Bouncy Castle Vulnerabilities Affect IBM Sterling B2B Integrator
2020-11-13 19:10:30
Security Bulletin: IBM Sterling File Gateway is vulnerable to multiple issues due to Bouncy Castle
2022-10-14 21:58:15
openvas
openvas
Mageia: Security Advisory (MGASA-2018-0376)
2022-01-28 00:00:00
openSUSE: Security Advisory for bouncycastle (openSUSE-SU-2018:1689-1)
2018-06-15 00:00:00
Debian: Security Advisory (DLA-1418-1)
2018-07-09 00:00:00
suse
suse
Security update for bouncycastle (moderate)
2018-06-14 12:07:50
Security update for bouncycastle (moderate)
2018-09-24 15:08:29
Security update for bouncycastle (moderate)
2018-08-03 21:09:02
nessus
nessus
openSUSE Security Update : bouncycastle (openSUSE-2018-628)
2018-06-14 00:00:00
Debian DLA-1418-1 : bouncycastle security update
2018-07-09 00:00:00
Ubuntu 14.04 LTS : Bouncy Castle vulnerabilities (USN-3727-1)
2018-08-02 00:00:00
mageia
mageia
Updated bouncycastle packages fix security vulnerabilities
2018-09-21 02:17:55
debian
debian
[SECURITY] [DLA 1418-1] bouncycastle security update
2018-07-07 13:56:34
[SECURITY] [DSA 4233-1] bouncycastle security update
2018-06-22 19:59:24
[SECURITY] [DSA 3829-1] bouncycastle security update
2017-04-11 20:45:09
atlassian
atlassian
Upgrade Bouncy Castle to fix multiple CVEs
2020-02-21 08:37:09
Upgrade Bouncy Castle to fix multiple CVEs
2020-02-21 08:37:09
osv
osv
bouncycastle - security update
2018-07-07 00:00:00
In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate
2018-10-17 16:23:26
In Bouncy Castle JCE Provider the ECIES implementation allowed the use of ECB mode
2018-10-17 16:27:38
ubuntu
ubuntu
Bouncy Castle vulnerabilities
2018-08-01 00:00:00
redhat
redhat
(RHSA-2018:2669) Important: Fuse 7.1 security update
2018-09-11 07:52:48
(RHSA-2018:2927) Important: Satellite 6.4 security, bug fix, and enhancement update
2018-10-16 14:18:07
(RHSA-2018:2425) Important: Red Hat JBoss Enterprise Application Platform 7.1 security update
2018-08-15 11:19:19
freebsd
freebsd
Several Security Defects in the Bouncy Castle Crypto APIs
2018-06-30 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: bouncycastle-1.60-1.fc28
2018-08-30 04:58:39
[SECURITY] Fedora 24 Update: bouncycastle-1.52-9.fc24
2017-05-02 00:24:48
[SECURITY] Fedora 28 Update: bouncycastle-1.59-1.fc28
2018-06-18 16:20:10
veracode
veracode
Carry Propagation
2017-01-16 03:22:52
Unsafe Encryption Scheme
2017-01-13 08:55:56
Information Diclosure
2017-01-16 02:25:51
ubuntucve
ubuntucve
CVE-2016-1000344
2018-06-04 00:00:00
CVE-2016-1000352
2018-06-04 00:00:00
CVE-2016-1000341
2018-06-04 00:00:00
github
github
The Bouncy Castle JCE Provider carry a propagation bug
2018-10-17 16:23:50
In Bouncy Castle JCE Provider the ECIES implementation allowed the use of ECB mode
2018-10-17 16:27:38
Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15
2018-10-18 18:04:13
cvelist
cvelist
CVE-2016-1000340
2018-06-04 13:00:00
CVE-2016-1000345
2018-06-04 21:00:00
CVE-2016-1000346
2018-06-04 21:00:00
redhatcve
redhatcve
CVE-2016-1000340
2018-06-07 18:19:22
CVE-2016-1000339
2018-06-07 18:18:53
CVE-2016-1000346
2018-06-07 05:49:06
nvd
nvd
CVE-2016-1000344
2018-06-04 21:29:00
CVE-2016-1000352
2018-06-04 21:29:00
CVE-2016-1000345
2018-06-04 21:29:00
debiancve
debiancve
CVE-2016-1000344
2018-06-04 21:29:00
CVE-2016-1000340
2018-06-04 13:29:00
CVE-2016-1000352
2018-06-04 21:29:00
cve
cve
CVE-2016-1000344
2018-06-04 21:29:00
CVE-2016-1000345
2018-06-04 21:29:00
CVE-2016-1000342
2018-06-04 13:29:00
prion
prion
Design/Logic Flaw
2018-06-04 21:29:00
Input validation
2018-06-04 13:29:00
Code injection
2018-06-04 21:29:00

EPSS

0.006

Percentile

77.7%

JSON
Related for 725E32A9B6092E4AD63AD8E97B36AECDCE864C1BA681C18BE98CB3D51167C891
ibm11openvas16suse5nessus23mageia1debian4atlassian2osv16ubuntu1redhat3freebsd1fedora4veracode13ubuntucve13github12cvelist13redhatcve9nvd13debiancve13cve13prion13