Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-15522 (GCVE-0-2020-15522)
Vulnerability from cvelistv5 – Published: 2021-05-20 11:20 – Updated: 2024-08-04 13:15
VLAI?
EPSS
Summary
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:20.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bouncycastle.org/releasenotes.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210622-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-22T08:06:30.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bouncycastle.org/releasenotes.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210622-0007/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15522",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bouncycastle.org/releasenotes.html",
"refsource": "MISC",
"url": "https://www.bouncycastle.org/releasenotes.html"
},
{
"name": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"refsource": "MISC",
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522"
},
{
"name": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"refsource": "MISC",
"url": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210622-0007/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210622-0007/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15522",
"datePublished": "2021-05-20T11:20:18.000Z",
"dateReserved": "2020-07-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:15:20.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2020-15522
Vulnerability from fkie_nvd - Published: 2021-05-20 12:15 - Updated: 2025-07-17 17:04
Severity ?
Summary
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522 | Third Party Advisory | |
| cve@mitre.org | https://github.com/bcgit/bc-java/wiki/CVE-2020-15522 | Third Party Advisory | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20210622-0007/ | ||
| cve@mitre.org | https://www.bouncycastle.org/releasenotes.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bcgit/bc-java/wiki/CVE-2020-15522 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20210622-0007/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.bouncycastle.org/releasenotes.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bouncycastle | bc-csharp | * | |
| bouncycastle | bouncy_castle_fips_.net_api | * | |
| bouncycastle | fips_java_api | * | |
| bouncycastle | fips_java_api | * | |
| bouncycastle | the_bouncy_castle_crypto_package_for_java | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bouncycastle:bc-csharp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E617E18C-5957-450B-A6F2-F3A5E8202D3F",
"versionEndExcluding": "1.8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bouncycastle:bouncy_castle_fips_.net_api:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A4C68F3-451F-46C7-932A-1D04828CB87B",
"versionEndExcluding": "1.0.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bouncycastle:fips_java_api:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0B7168C-AAB1-4E4D-8B38-C50C38FBF3D6",
"versionEndExcluding": "1.0.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bouncycastle:fips_java_api:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91805F10-A585-4724-9A09-141031E303A2",
"versionEndExcluding": "1.0.2.1",
"versionStartIncluding": "1.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7D7F6F7-8F74-41E0-9AFA-2FB26773DF69",
"versionEndExcluding": "1.66",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures."
},
{
"lang": "es",
"value": "Bouncy Castle BC Java versiones anteriores a 1.66, BC C # .NET versiones anteriores a 1.8.7, BC-FJA versiones anteriores a 1.0.1.2, 1.0.2.1 y BC-FNA versiones anteriores a 1.0.1.1, presentan un problema de sincronizaci\u00f3n dentro de la biblioteca EC math que puede exponer informaci\u00f3n sobre la clave privada cuando un atacante es capaz de observar informaci\u00f3n de sincronizaci\u00f3n para la generaci\u00f3n de m\u00faltiples firmas ECDSA deterministas"
}
],
"id": "CVE-2020-15522",
"lastModified": "2025-07-17T17:04:58.987",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-20T12:15:08.003",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522"
},
{
"source": "cve@mitre.org",
"url": "https://security.netapp.com/advisory/ntap-20210622-0007/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.bouncycastle.org/releasenotes.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20210622-0007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.bouncycastle.org/releasenotes.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-6XX3-RG99-GC3P
Vulnerability from github – Published: 2021-08-13 15:22 – Updated: 2025-07-17 22:05
VLAI?
Summary
Timing based private key exposure in Bouncy Castle
Details
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
Severity ?
5.1 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bc-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-ext-jdk15on"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.66"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-ext-jdk16"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.66"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk14"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.66"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk15"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.66"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk15on"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.66"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk15to18"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.66"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk16"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.66"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "BouncyCastle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15522"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T17:50:36Z",
"nvd_published_at": "2021-05-20T12:15:00Z",
"severity": "MODERATE"
},
"details": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"id": "GHSA-6xx3-rg99-gc3p",
"modified": "2025-07-17T22:05:07Z",
"published": "2021-08-13T15:22:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15522"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210622-0007"
},
{
"type": "WEB",
"url": "https://www.bouncycastle.org/releasenotes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Timing based private key exposure in Bouncy Castle"
}
CERTFR-2022-AVI-952
Vulnerability from certfr_avis - Published: 2022-10-26 - Updated: 2022-10-26
De multiples vulnérabilités ont été découvertes dans IBM QRadar. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QRadar SIEM versions 7.5 ant\u00e9rieures \u00e0 7.5.0 Update Pack 3",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.4 ant\u00e9rieures \u00e0 7.4.3 Fix Pack 7",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-33036",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33036"
},
{
"name": "CVE-2022-30973",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30973"
},
{
"name": "CVE-2021-38185",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38185"
},
{
"name": "CVE-2022-25169",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25169"
},
{
"name": "CVE-2022-25762",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25762"
},
{
"name": "CVE-2022-2048",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2048"
},
{
"name": "CVE-2018-25032",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-25032"
},
{
"name": "CVE-2022-32250",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32250"
},
{
"name": "CVE-2022-1966",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1966"
},
{
"name": "CVE-2022-2047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2047"
},
{
"name": "CVE-2021-37404",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37404"
},
{
"name": "CVE-2022-1271",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1271"
},
{
"name": "CVE-2022-22968",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22968"
},
{
"name": "CVE-2022-0492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0492"
},
{
"name": "CVE-2022-1552",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1552"
},
{
"name": "CVE-2020-15522",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15522"
},
{
"name": "CVE-2022-1729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1729"
},
{
"name": "CVE-2022-1154",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1154"
},
{
"name": "CVE-2022-30126",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30126"
},
{
"name": "CVE-2022-29885",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29885"
},
{
"name": "CVE-2022-33879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33879"
},
{
"name": "CVE-2021-3634",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3634"
}
],
"initial_release_date": "2022-10-26T00:00:00",
"last_revision_date": "2022-10-26T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-952",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-10-26T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM QRadar.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM QRadar",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6831853 du 25 octobre 2022",
"url": "https://www.ibm.com/support/pages/node/6831853"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6831855 du 25 octobre 2022",
"url": "https://www.ibm.com/support/pages/node/6831855"
}
]
}
CERTFR-2021-AVI-951
Vulnerability from certfr_avis - Published: 2021-12-15 - Updated: 2021-12-15
De multiples vulnérabilités ont été découvertes dans le noyau Linux de RedHat. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - TUS 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64 | ||
| SolarWinds | Platform | Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le | ||
| Red Hat | N/A | Red Hat Integration Text-Only Advisories x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Openshift Application Runtimes Text-Only Advisories x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Integration - Camel K 1 x86_64 | ||
| SolarWinds | Platform | Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le | ||
| Red Hat | N/A | Red Hat Fuse 1 x86_64 | ||
| SolarWinds | Platform | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat JBoss Data Grid Text-Only Advisories x86_64 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le",
"product": {
"name": "Platform",
"vendor": {
"name": "SolarWinds",
"scada": false
}
}
},
{
"description": "Red Hat Integration Text-Only Advisories x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Openshift Application Runtimes Text-Only Advisories x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Integration - Camel K 1 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64",
"product": {
"name": "Platform",
"vendor": {
"name": "SolarWinds",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Fuse 1 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x",
"product": {
"name": "Platform",
"vendor": {
"name": "SolarWinds",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat JBoss Data Grid Text-Only Advisories x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-27223",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27223"
},
{
"name": "CVE-2020-27218",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27218"
},
{
"name": "CVE-2021-21343",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21343"
},
{
"name": "CVE-2021-29425",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
},
{
"name": "CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"name": "CVE-2021-22118",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22118"
},
{
"name": "CVE-2020-2875",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2875"
},
{
"name": "CVE-2021-3536",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3536"
},
{
"name": "CVE-2021-28169",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28169"
},
{
"name": "CVE-2021-21348",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21348"
},
{
"name": "CVE-2020-11988",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11988"
},
{
"name": "CVE-2020-35510",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35510"
},
{
"name": "CVE-2021-45606",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45606"
},
{
"name": "CVE-2020-2934",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2934"
},
{
"name": "CVE-2021-21344",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21344"
},
{
"name": "CVE-2020-26259",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26259"
},
{
"name": "CVE-2021-3597",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3597"
},
{
"name": "CVE-2021-28170",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28170"
},
{
"name": "CVE-2021-21341",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21341"
},
{
"name": "CVE-2020-13949",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13949"
},
{
"name": "CVE-2021-4104",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4104"
},
{
"name": "CVE-2021-3690",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3690"
},
{
"name": "CVE-2020-17521",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-17521"
},
{
"name": "CVE-2021-22696",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22696"
},
{
"name": "CVE-2021-28163",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28163"
},
{
"name": "CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"name": "CVE-2020-9488",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9488"
},
{
"name": "CVE-2021-21347",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21347"
},
{
"name": "CVE-2021-27568",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27568"
},
{
"name": "CVE-2020-26217",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26217"
},
{
"name": "CVE-2021-37136",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37136"
},
{
"name": "CVE-2021-23926",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23926"
},
{
"name": "CVE-2019-10744",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10744"
},
{
"name": "CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"name": "CVE-2021-21346",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21346"
},
{
"name": "CVE-2021-30468",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30468"
},
{
"name": "CVE-2021-21351",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21351"
},
{
"name": "CVE-2021-21345",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21345"
},
{
"name": "CVE-2020-28491",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28491"
},
{
"name": "CVE-2021-45046",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
},
{
"name": "CVE-2021-37714",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37714"
},
{
"name": "CVE-2019-12415",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12415"
},
{
"name": "CVE-2021-20218",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20218"
},
{
"name": "CVE-2020-27782",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27782"
},
{
"name": "CVE-2021-30129",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30129"
},
{
"name": "CVE-2020-17527",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-17527"
},
{
"name": "CVE-2021-21349",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21349"
},
{
"name": "CVE-2021-44228",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"name": "CVE-2020-13943",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13943"
},
{
"name": "CVE-2020-15522",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15522"
},
{
"name": "CVE-2021-28164",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28164"
},
{
"name": "CVE-2020-11987",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11987"
},
{
"name": "CVE-2021-21290",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
},
{
"name": "CVE-2021-21342",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21342"
},
{
"name": "CVE-2021-3629",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3629"
},
{
"name": "CVE-2021-21350",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21350"
},
{
"name": "CVE-2021-34428",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34428"
}
],
"initial_release_date": "2021-12-15T00:00:00",
"last_revision_date": "2021-12-15T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5101 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHBA-2021:5101"
}
],
"reference": "CERTFR-2021-AVI-951",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-12-15T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de\nRedHat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service et une\natteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de RedHat",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5130 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5130"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHBA-2021:5114 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHBA-2021:5114"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5138 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5138"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5132 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5132"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5126 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5126"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5134 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5134"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5133 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5133"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5108 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5108"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5093 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5093"
}
]
}
CVE-2020-15522
Vulnerability from fstec - Published: 04.07.2020
VLAI Severity ?
Title
Уязвимость библиотеки проверки ключа EC модуля Math средств криптографической защиты Bouncy Castle, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Description
Уязвимость библиотеки проверки ключа EC модуля Math средств криптографической защиты Bouncy Castle связана с ошибками синхронизации при использовании общего ресурса при обработке детерминированных цифровых подписей ECDSA. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации
Severity ?
Vendor
Legion of the Bouncy Castle Inc., NetApp Inc., Elastic NV
Software Name
Bouncy Castle, Bouncy Castle FIPS Java API (BC-FJA), Bouncy Castle Crypto Package For Java, Bouncy Castle Cryptography Library For .NET, Bouncy Castle FIPS .NET API (BC-FNA), Active IQ Unified Manager for Linux, Active IQ Unified Manager for Microsoft Windows, Active IQ Unified Manager for VMware vSphere, Oncommand Insight, SANtricity Storage Plugin for vCenter, SnapCenter, Elasticsearch
Software Version
до 1.66 (Bouncy Castle), до 1.0.2.1 (Bouncy Castle FIPS Java API (BC-FJA)), до 1.66 (Bouncy Castle Crypto Package For Java), до 1.8.7 (Bouncy Castle Cryptography Library For .NET), до 1.0.1.1 (Bouncy Castle FIPS .NET API (BC-FNA)), до 9.10 (Active IQ Unified Manager for Linux), до 9.10 (Active IQ Unified Manager for Microsoft Windows), до 9.10 (Active IQ Unified Manager for VMware vSphere), до 7.3.12 (Oncommand Insight), до 1.4 (SANtricity Storage Plugin for vCenter), до 4.5 (SnapCenter), 8.7.1 (Elasticsearch)
Possible Mitigations
Использование рекомендаций:
Для программных продуктов Legion of the Bouncy Castle Inc.:
https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522
https://github.com/bcgit/bc-java/wiki/CVE-2020-15522
https://www.bouncycastle.org/releasenotes.html
https://github.com/bcgit/bc-csharp/releases/tag/release-1.8.7
https://github.com/bcgit/bc-java/releases/tag/r1rv66
Для NetApp, Inc.:
https://security.netapp.com/advisory/ntap-20210622-0007/
Для Elasticsearch:
https://github.com/elastic/elasticsearch/releases
Reference
https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522
https://github.com/bcgit/bc-java/wiki/CVE-2020-15522
https://security.netapp.com/advisory/ntap-20210622-0007/
https://www.bouncycastle.org/releasenotes.html
https://discuss.elastic.co/t/cves-present-in-the-latest-version/332950
https://jvndb.jvn.jp/ja/contents/2020/JVNDB-2020-015754.html
https://bugzilla.redhat.com/show_bug.cgi?id=1962879
CWE
CWE-362
{
"CVSS 2.0": "AV:N/AC:M/Au:N/C:C/I:N/A:N",
"CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Legion of the Bouncy Castle Inc., NetApp Inc., Elastic NV",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 1.66 (Bouncy Castle), \u0434\u043e 1.0.2.1 (Bouncy Castle FIPS Java API (BC-FJA)), \u0434\u043e 1.66 (Bouncy Castle Crypto Package For Java), \u0434\u043e 1.8.7 (Bouncy Castle Cryptography Library For .NET), \u0434\u043e 1.0.1.1 (Bouncy Castle FIPS .NET API (BC-FNA)), \u0434\u043e 9.10 (Active IQ Unified Manager for Linux), \u0434\u043e 9.10 (Active IQ Unified Manager for Microsoft Windows), \u0434\u043e 9.10 (Active IQ Unified Manager for VMware vSphere), \u0434\u043e 7.3.12 (Oncommand Insight), \u0434\u043e 1.4 (SANtricity Storage Plugin for vCenter), \u0434\u043e 4.5 (SnapCenter), 8.7.1 (Elasticsearch)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Legion of the Bouncy Castle Inc.:\nhttps://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522\nhttps://github.com/bcgit/bc-java/wiki/CVE-2020-15522\nhttps://www.bouncycastle.org/releasenotes.html\nhttps://github.com/bcgit/bc-csharp/releases/tag/release-1.8.7\nhttps://github.com/bcgit/bc-java/releases/tag/r1rv66\n\n\u0414\u043b\u044f NetApp, Inc.:\nhttps://security.netapp.com/advisory/ntap-20210622-0007/\n\n\u0414\u043b\u044f Elasticsearch:\nhttps://github.com/elastic/elasticsearch/releases",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "04.07.2020",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "01.11.2023",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "01.11.2023",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-07367",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-15522",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Bouncy Castle, Bouncy Castle FIPS Java API (BC-FJA), Bouncy Castle Crypto Package For Java, Bouncy Castle Cryptography Library For .NET, Bouncy Castle FIPS .NET API (BC-FNA), Active IQ Unified Manager for Linux, Active IQ Unified Manager for Microsoft Windows, Active IQ Unified Manager for VMware vSphere, Oncommand Insight, SANtricity Storage Plugin for vCenter, SnapCenter, Elasticsearch",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u043a\u043b\u044e\u0447\u0430 EC \u043c\u043e\u0434\u0443\u043b\u044f Math \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u0437\u0430\u0449\u0438\u0442\u044b Bouncy Castle, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041e\u0434\u043d\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043e\u0431\u0449\u0435\u0433\u043e \u0440\u0435\u0441\u0443\u0440\u0441\u0430 \u0441 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0439 \u0441\u0438\u043d\u0445\u0440\u043e\u043d\u0438\u0437\u0430\u0446\u0438\u0435\u0439 (\u00ab\u0421\u0438\u0442\u0443\u0430\u0446\u0438\u044f \u0433\u043e\u043d\u043a\u0438\u00bb) (CWE-362)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u043a\u043b\u044e\u0447\u0430 EC \u043c\u043e\u0434\u0443\u043b\u044f Math \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u0437\u0430\u0449\u0438\u0442\u044b Bouncy Castle \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u0441\u0438\u043d\u0445\u0440\u043e\u043d\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u0440\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 \u043e\u0431\u0449\u0435\u0433\u043e \u0440\u0435\u0441\u0443\u0440\u0441\u0430 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0434\u0435\u0442\u0435\u0440\u043c\u0438\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0446\u0438\u0444\u0440\u043e\u0432\u044b\u0445 \u043f\u043e\u0434\u043f\u0438\u0441\u0435\u0439 ECDSA. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0440\u043e\u043a\u0430\u043c\u0438 \u0438 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435\u043c",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522 \nhttps://github.com/bcgit/bc-java/wiki/CVE-2020-15522 \nhttps://security.netapp.com/advisory/ntap-20210622-0007/ \nhttps://www.bouncycastle.org/releasenotes.html\nhttps://discuss.elastic.co/t/cves-present-in-the-latest-version/332950\nhttps://jvndb.jvn.jp/ja/contents/2020/JVNDB-2020-015754.html\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1962879",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0437\u0430\u0449\u0438\u0442\u044b, \u0421\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0437\u0430\u0449\u0438\u0442\u044b, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0423\u0411\u0414, \u041f\u041e \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0418\u0418",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-362",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,1)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,9)"
}
GSD-2020-15522
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-15522",
"description": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"id": "GSD-2020-15522",
"references": [
"https://www.suse.com/security/cve/CVE-2020-15522.html",
"https://access.redhat.com/errata/RHSA-2021:5134",
"https://access.redhat.com/errata/RHSA-2021:2755",
"https://access.redhat.com/errata/RHSA-2021:1401",
"https://access.redhat.com/errata/RHSA-2022:1013",
"https://access.redhat.com/errata/RHSA-2022:1029"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-15522"
],
"details": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"id": "GSD-2020-15522",
"modified": "2023-12-13T01:21:43.947443Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15522",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bouncycastle.org/releasenotes.html",
"refsource": "MISC",
"url": "https://www.bouncycastle.org/releasenotes.html"
},
{
"name": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"refsource": "MISC",
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522"
},
{
"name": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"refsource": "MISC",
"url": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210622-0007/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210622-0007/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,1.0.2]",
"affected_versions": "All versions up to 1.0.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-362",
"CWE-937"
],
"date": "2021-08-13",
"description": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"fixed_versions": [
"1.0.2.1"
],
"identifier": "CVE-2020-15522",
"identifiers": [
"GHSA-6xx3-rg99-gc3p",
"CVE-2020-15522"
],
"not_impacted": "All versions after 1.0.2",
"package_slug": "maven/org.bouncycastle/bc-fips",
"pubdate": "2021-08-13",
"solution": "Upgrade to version 1.0.2.1 or above.",
"title": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"https://github.com/advisories/GHSA-6xx3-rg99-gc3p"
],
"uuid": "92256c79-6b98-45b1-bd38-9359cc3c739f"
},
{
"affected_range": "(,1.66)",
"affected_versions": "All versions before 1.66",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-362",
"CWE-937"
],
"date": "2021-08-13",
"description": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"fixed_versions": [
"1.66"
],
"identifier": "CVE-2020-15522",
"identifiers": [
"GHSA-6xx3-rg99-gc3p",
"CVE-2020-15522"
],
"not_impacted": "All versions starting from 1.66",
"package_slug": "maven/org.bouncycastle/bcprov-ext-jdk15on",
"pubdate": "2021-08-13",
"solution": "Upgrade to version 1.66 or above.",
"title": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"https://github.com/advisories/GHSA-6xx3-rg99-gc3p"
],
"uuid": "558a3648-6fff-40ba-b907-ca96f1659f6a"
},
{
"affected_range": "(,1.66)",
"affected_versions": "All versions before 1.66",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-362",
"CWE-937"
],
"date": "2021-08-13",
"description": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"fixed_versions": [
"1.66"
],
"identifier": "CVE-2020-15522",
"identifiers": [
"GHSA-6xx3-rg99-gc3p",
"CVE-2020-15522"
],
"not_impacted": "All versions starting from 1.66",
"package_slug": "maven/org.bouncycastle/bcprov-ext-jdk16",
"pubdate": "2021-08-13",
"solution": "Upgrade to version 1.66 or above.",
"title": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"https://github.com/advisories/GHSA-6xx3-rg99-gc3p"
],
"uuid": "faf09853-f24c-4243-a208-96f8604dd734"
},
{
"affected_range": "(,1.66)",
"affected_versions": "All versions before 1.66",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-362",
"CWE-937"
],
"date": "2021-08-13",
"description": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"fixed_versions": [
"1.66"
],
"identifier": "CVE-2020-15522",
"identifiers": [
"GHSA-6xx3-rg99-gc3p",
"CVE-2020-15522"
],
"not_impacted": "All versions starting from 1.66",
"package_slug": "maven/org.bouncycastle/bcprov-jdk14",
"pubdate": "2021-08-13",
"solution": "Upgrade to version 1.66 or above.",
"title": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"https://github.com/advisories/GHSA-6xx3-rg99-gc3p"
],
"uuid": "719b6d6f-fac9-4127-a11f-d46b06591b61"
},
{
"affected_range": "(,1.66)",
"affected_versions": "All versions before 1.66",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-362",
"CWE-937"
],
"date": "2021-08-13",
"description": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"fixed_versions": [
"1.66"
],
"identifier": "CVE-2020-15522",
"identifiers": [
"GHSA-6xx3-rg99-gc3p",
"CVE-2020-15522"
],
"not_impacted": "All versions starting from 1.66",
"package_slug": "maven/org.bouncycastle/bcprov-jdk15",
"pubdate": "2021-08-13",
"solution": "Upgrade to version 1.66 or above.",
"title": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"https://github.com/advisories/GHSA-6xx3-rg99-gc3p"
],
"uuid": "84a32192-9bcf-482d-abd7-ead5233e712e"
},
{
"affected_range": "(,1.66)",
"affected_versions": "All versions before 1.66",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-362",
"CWE-937"
],
"date": "2021-08-13",
"description": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"fixed_versions": [
"1.66"
],
"identifier": "CVE-2020-15522",
"identifiers": [
"GHSA-6xx3-rg99-gc3p",
"CVE-2020-15522"
],
"not_impacted": "All versions starting from 1.66",
"package_slug": "maven/org.bouncycastle/bcprov-jdk15on",
"pubdate": "2021-08-13",
"solution": "Upgrade to version 1.66 or above.",
"title": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"https://security.netapp.com/advisory/ntap-20210622-0007/",
"https://www.bouncycastle.org/releasenotes.html",
"https://github.com/advisories/GHSA-6xx3-rg99-gc3p"
],
"uuid": "f1041973-bd6b-4272-af28-cacd515ec88d"
},
{
"affected_range": "(,1.66)",
"affected_versions": "All versions before 1.66",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-362",
"CWE-937"
],
"date": "2021-08-13",
"description": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"fixed_versions": [
"1.66"
],
"identifier": "CVE-2020-15522",
"identifiers": [
"GHSA-6xx3-rg99-gc3p",
"CVE-2020-15522"
],
"not_impacted": "All versions starting from 1.66",
"package_slug": "maven/org.bouncycastle/bcprov-jdk15to18",
"pubdate": "2021-08-13",
"solution": "Upgrade to version 1.66 or above.",
"title": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"https://github.com/advisories/GHSA-6xx3-rg99-gc3p"
],
"uuid": "885d4588-0042-4f66-b2e2-47a86bf559d9"
},
{
"affected_range": "(,1.66)",
"affected_versions": "All versions before 1.66",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-362",
"CWE-937"
],
"date": "2021-08-13",
"description": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"fixed_versions": [
"1.66"
],
"identifier": "CVE-2020-15522",
"identifiers": [
"GHSA-6xx3-rg99-gc3p",
"CVE-2020-15522"
],
"not_impacted": "All versions starting from 1.66",
"package_slug": "maven/org.bouncycastle/bcprov-jdk16",
"pubdate": "2021-08-13",
"solution": "Upgrade to version 1.66 or above.",
"title": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"https://github.com/advisories/GHSA-6xx3-rg99-gc3p"
],
"uuid": "250ddc00-f5cd-4637-be2e-df7624ce78ac"
},
{
"affected_range": "(,1.8.7)",
"affected_versions": "All versions before 1.8.7",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-362",
"CWE-937"
],
"date": "2023-05-30",
"description": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.",
"fixed_versions": [
"1.8.7"
],
"identifier": "CVE-2020-15522",
"identifiers": [
"GHSA-6xx3-rg99-gc3p",
"CVE-2020-15522"
],
"not_impacted": "All versions starting from 1.8.7",
"package_slug": "nuget/BouncyCastle",
"pubdate": "2021-08-13",
"solution": "Upgrade to version 1.8.7 or above.",
"title": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"https://security.netapp.com/advisory/ntap-20210622-0007/",
"https://www.bouncycastle.org/releasenotes.html",
"https://github.com/advisories/GHSA-6xx3-rg99-gc3p"
],
"uuid": "4380e2b1-86ed-4165-8e96-7dac32cfc762"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:bouncycastle:bc-csharp:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.8.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:bouncycastle:bouncy_castle_fips_.net_api:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.1.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-fips-java-api:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.1.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-fips-java-api:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.2.1",
"versionStartIncluding": "1.0.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.66",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15522"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522"
},
{
"name": "https://www.bouncycastle.org/releasenotes.html",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.bouncycastle.org/releasenotes.html"
},
{
"name": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210622-0007/",
"refsource": "CONFIRM",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20210622-0007/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6
}
},
"lastModifiedDate": "2021-06-22T09:15Z",
"publishedDate": "2021-05-20T12:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…