Security Bulletin: PowerSC is vulnerable to information disclosure due to Bouncy Castle (CVE-2020-15522)

Summary

A vulnerability in Bouncy Castle could allow a remote attacker to obtain sensitive information, which could be exploited to obtain private key information (CVE-2020-15522). PowerSC uses Bouncy Castle for cryptography.

Vulnerability Details

CVEID:CVE-2020-15522
**DESCRIPTION:**Bouncy Castle BC Java, BC C# .NET, BC-FJA, BC-FNA could allow a remote attacker to obtain sensitive information, caused by a timing issue within the EC math library. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain the private key information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202188 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

The vulnerabilities in the following filesets are being addressed:

Note: To find out whether the affected PowerSC filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide.

Example: lslpp -l | grep powerscStd

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Recommended remediation is to update to PowerSC 2.1.0.4 or later:

[PowerSC Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Virtualiza tion%20software&product=ibm/power/IBM+PowerSC&release=All&platform=All&function= all> “PowerSC Fix Central” )

Workarounds and Mitigations

None