CVE-2016-1000343

Aliases:GHSA-rrvx-pwf8-p59p

Advisory lineage Upstream: 0 Downstream: 7

Downstream

DEBIAN-CVE-2016-1000343 DLA-1418-1 MGASA-2018-0376 OPENSUSE-SU-2024:10661-1 RHSA-2018:2927 UBUNTU-CVE-2016-1000343

Modified

Published: 04 Jun 2018, 13:00

Last modified:06 Aug 2024, 03:55

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.0 (nvd)

EPSS Score

1.07% LOW

1% probability +0.35%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

04 Jun 2018, 13:00

Published

Vulnerability first disclosed

06 Aug 2024, 03:55

Last Modified

Vulnerability information updated

Description

In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.

CVSS Metrics

v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 1.07%• Percentile: 78%

Techniques & Countermeasures

CWE-310•Cryptographic Issues
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Affected Systems

bouncycastle•bc-java
≤ 1.55
debian•debian_linux
8.0
org.bouncycastle•bcprov-jdk14
< 1.56
org.bouncycastle•bcprov-jdk15
< 1.56
org.bouncycastle•bcprov-jdk15on
< 1.56