In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2018:2669 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2018:2927 | Third Party Advisory |
https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0 | Patch Third Party Advisory |
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E | Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html | Mailing List Third Party Advisory |
https://security.netapp.com/advisory/ntap-20231006-0011/ | Third Party Advisory |
https://usn.ubuntu.com/3727-1/ | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2020.html | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
29 Aug 2024, 11:09
Type | Values Removed | Values Added |
---|---|---|
First Time |
Netapp 7-mode Transition Tool
Redhat satellite Canonical Redhat Netapp Canonical ubuntu Linux Redhat satellite Capsule |
|
CPE | cpe:2.3:a:redhat:satellite:6.4:-:*:*:*:*:*:* cpe:2.3:a:redhat:satellite_capsule:6.4:*:*:*:*:*:*:* cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:*:*:*:* |
|
References | () https://access.redhat.com/errata/RHSA-2018:2669 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2018:2927 - Third Party Advisory | |
References | () https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E - Third Party Advisory | |
References | () https://security.netapp.com/advisory/ntap-20231006-0011/ - Third Party Advisory | |
References | () https://usn.ubuntu.com/3727-1/ - Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuoct2020.html - Third Party Advisory |
07 Nov 2023, 02:29
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
06 Oct 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2018-06-01 20:29
Updated : 2024-08-29 11:09
NVD link : CVE-2016-1000338
Mitre link : CVE-2016-1000338
CVE.ORG link : CVE-2016-1000338
JSON object : View
Products Affected
redhat
- satellite
- satellite_capsule
canonical
- ubuntu_linux
netapp
- 7-mode_transition_tool
bouncycastle
- legion-of-the-bouncy-castle-java-crytography-api
CWE
CWE-347
Improper Verification of Cryptographic Signature