Versio.io

CVE-2018-5382

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 16-04-2018 04:29
Last modified: - 20-04-2022 05:31
Total changes: - 6

Description

The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type "BKS-V1" was introduced in 1.49. It should be noted that the use of "BKS-V1" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Low
Attack complexity
Local
Attack vector
None
Availability
Low
Confidentiality
Low
Integrity
Low
Privileges required
Unchanged
Scope
None
User interaction
4.4
Base score
1.8
2.5
Exploitability score
Impact score
 

Verification logic

OR
OR
vendor=bouncycastle AND product=legion-of-the-bouncy-castle-java-crytography-api AND versionEndIncluding=1.49
OR
vendor=Red Hat Enterprise Linux AND product=satellite AND version=6.4
vendor=Red Hat Enterprise Linux AND product=satellite_capsule AND version=6.4
 

Reference

 


Keywords

NVD

 

CVE-2018-5382

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.