OpenJDK: non-constant time GCM authentication tag comparison (JCE, 8143945)

🗓️ 03 May 2016 18:35:32Reported by RedHatType

OpenJDK Java Cryptography Extension Galois Counter Mode uses non constant time authentication tag comparison, enabling tag deduction.

Reporter	Title	Published	Views	Family All 236
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Light (CVE-2016-3426)	15 Jun 201807:06	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in java affect Power Hardware Management Console (CVE-2016-3426 )	23 Sep 202101:31	–	ibm
IBM Security Bulletins	Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Content Manager Records Enabler (CVE-2016-3427)	17 Jun 201812:16	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway	16 Jun 201821:41	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in IBM® Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-3427)	28 Apr 202118:35	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)	15 Jun 201807:05	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server (CVE-2016-3426, CVE-2016-3485)	17 Dec 201922:56	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in IBM Java Runtime affect IBM Financial Transaction Manager for ACH Services, Check Services and Corporate Payment Services (CVE-2016-3426)	16 Jun 201820:01	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack	8 Aug 201804:13	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics for NPS	31 May 202203:16	–	ibm

OS	OS Version	Architecture	Package	Package Version	Filename
Red Hat Enterprise Linux	7	i686	java-1.8.0-ibm	1:1.8.0.3.0-1jpp.1.el7	java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7.i686.rpm
Red Hat Enterprise Linux	7	ppc	java-1.8.0-ibm	1:1.8.0.3.0-1jpp.1.el7	java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7.ppc.rpm
Red Hat Enterprise Linux	7	ppc64	java-1.8.0-ibm	1:1.8.0.3.0-1jpp.1.el7	java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7.ppc64.rpm
Red Hat Enterprise Linux	7	ppc64le	java-1.8.0-ibm	1:1.8.0.3.0-1jpp.1.el7	java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7.ppc64le.rpm
Red Hat Enterprise Linux	7	s390	java-1.8.0-ibm	1:1.8.0.3.0-1jpp.1.el7	java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7.s390.rpm
Red Hat Enterprise Linux	7	s390x	java-1.8.0-ibm	1:1.8.0.3.0-1jpp.1.el7	java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7.s390x.rpm
Red Hat Enterprise Linux	7	x86_64	java-1.8.0-ibm	1:1.8.0.3.0-1jpp.1.el7	java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7.x86_64.rpm
Red Hat Enterprise Linux	7	ppc64	java-1.8.0-ibm-demo	1:1.8.0.3.0-1jpp.1.el7	java-1.8.0-ibm-demo-1:1.8.0.3.0-1jpp.1.el7.ppc64.rpm
Red Hat Enterprise Linux	7	ppc64le	java-1.8.0-ibm-demo	1:1.8.0.3.0-1jpp.1.el7	java-1.8.0-ibm-demo-1:1.8.0.3.0-1jpp.1.el7.ppc64le.rpm
Red Hat Enterprise Linux	7	s390x	java-1.8.0-ibm-demo	1:1.8.0.3.0-1jpp.1.el7	java-1.8.0-ibm-demo-1:1.8.0.3.0-1jpp.1.el7.s390x.rpm

Source	Link
oracle	www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html
access	www.access.redhat.com/security/cve/CVE-2016-3426
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
nvd	www.nvd.nist.gov/vuln/detail/CVE-2016-3426
cve	www.cve.org/CVERecord

21 Nov 2025 17:56Current

7.4High risk

Vulners AI Score7.4

CVSS 33.1

CVSS 24.3

EPSS0.00988

SSVC