Bugzilla – Bug 1072697
VUL-0: CVE-2017-13098: bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack
Last modified: 2020-05-03 22:17:43 UTC
rh#1525528 wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable wolfSSL application. This vulnerability is referred to as "ROBOT." References: https://bugzilla.redhat.com/show_bug.cgi?id=1525528 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13098 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13099 http://seclists.org/oss-sec/2017/q4/391 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13099.html http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13098.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13099 https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c http://www.kb.cert.org/vuls/id/144389 https://github.com/wolfSSL/wolfssl/pull/1229
Bouncy Castle (CVE-2017-13098): https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c 1.59 beta 9 contains the fix: https://downloads.bouncycastle.org/betas/
bouncycastle package is on openSUSE Leap only.
Java is for Pedro these days :)
I believe we are not affected by this bug since we are packaging the "JCE with provider and lightweight API" version (bcprov-jdk15on-158.tar.gz) and the affected code is in the "DTLS/TLS API/JSSE Provider" version (bctls-jdk15on-159b09.tar.gz), that we are not packaging. See the download site: http://polydistortion.net/bc/index.html
ok
This is an autogenerated message for OBS integration: This bug (1072697) was mentioned in https://build.opensuse.org/request/show/614511 42.3 / bouncycastle
openSUSE-SU-2018:1689-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1072697,1095722,1095849,1095850,1095852,1095853,1095854,1096022,1096024,1096025,1096026 CVE References: CVE-2016-1000338,CVE-2016-1000339,CVE-2016-1000340,CVE-2016-1000341,CVE-2016-1000342,CVE-2016-1000343,CVE-2016-1000344,CVE-2016-1000345,CVE-2016-1000346,CVE-2016-1000352,CVE-2017-13098 Sources used: openSUSE Leap 42.3 (src): bouncycastle-1.59-23.3.1
This is an autogenerated message for OBS integration: This bug (1072697) was mentioned in https://build.opensuse.org/request/show/624019 15.0 / bouncycastle
openSUSE-SU-2018:2131-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1072697,1100694 CVE References: CVE-2017-13098,CVE-2018-1000613 Sources used: openSUSE Leap 15.0 (src): bouncycastle-1.60-lp150.2.3.1
This is an autogenerated message for OBS integration: This bug (1072697) was mentioned in https://build.opensuse.org/request/show/798905 15.1 / bouncycastle
openSUSE-SU-2020:0607-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1072697,1100694 CVE References: CVE-2017-13098,CVE-2018-1000613 Sources used: openSUSE Leap 15.1 (src): bouncycastle-1.60-lp151.3.3.1