CVE-2016-1000346
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000346
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-1000346.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2016-1000346
- Aliases
- Downstream
- Related
- Published
- 2018-06-04T21:29:00Z
- Modified
- 2025-10-21T02:35:24Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
- References
-
- https://access.redhat.com/errata/RHSA-2018:2669
- https://access.redhat.com/errata/RHSA-2018:2927
- https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937
- https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
- https://security.netapp.com/advisory/ntap-20181127-0004/
- https://usn.ubuntu.com/3727-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
Affected packages
Git / github.com/bcgit/bc-java
Affected ranges
- Type
- GIT
- Repo
- https://github.com/bcgit/bc-java
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"source": "https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495",
"target": {
"function": "calculateAgreement",
"file": "core/src/main/java/org/bouncycastle/crypto/agreement/DHBasicAgreement.java"
},
"id": "CVE-2016-1000346-2ce823c1",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "185026077508031655794270039269558104348",
"length": 283.0
},
"signature_type": "Function"
},
{
"source": "https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495",
"target": {
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyAgreementSpi.java"
},
"id": "CVE-2016-1000346-8ccdf41e",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"247997121823651805244633917361933897791",
"313294642304152614118091490012356170051",
"127689328483691251485348897798533128293",
"33103616125336355740023081394931130000",
"290351207297392154867896590579277362773",
"68088333778385038202513466227324306918",
"94507814895673301136789431904356819219",
"302786305505212419355364677167690593091",
"60016128871656692581638961225776974459",
"208488870259168361410923234242343124841",
"190891259409140156645373035822722878210",
"16075277178013373311097170001557121534",
"146658604301481920722746176280765967736",
"222091921004553445667225155855643535021",
"251541446757221174933480976546685956178"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"source": "https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495",
"target": {
"file": "core/src/main/java/org/bouncycastle/crypto/agreement/DHAgreement.java"
},
"id": "CVE-2016-1000346-9b309b3c",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"936612967058204743196364074915333868",
"141236568412354917146646841571405610169",
"145646568087226663222565423721425936249",
"309480494439546096169497146092253586622",
"259720814362292178598033044670969376926",
"247301899120301855329380873600630155874",
"170224327821934689471979223616473673671",
"180827444332364954121758615593898215154",
"110036999093500799624063553621258752356",
"315905885869575241052547793044482652677",
"232667083830741178479368513931285477853",
"188993442896457892943199299472127475048",
"173476438563952840205883442954518398184",
"204749182687090865682042543171843080005",
"3065208784388466948754921437328893431"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"source": "https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495",
"target": {
"file": "core/src/main/java/org/bouncycastle/crypto/params/DHPublicKeyParameters.java"
},
"id": "CVE-2016-1000346-bdc62a69",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"284851692939748055270641962399301113136",
"321555525650950566037591807895124532059",
"39463599675214323422137582161216773049",
"286882396208524444738041638919558305213",
"274323740090003665755080267190994775850",
"128720080268202564346773780005654865248",
"64009232786514856853140935970729786318",
"252041170514747428684955706262824984139",
"103752625690005068510173949260981834513",
"34793854889450973455021005677140166452",
"67169686462951004570554990257287462916",
"171308696974138126375305776595003035777",
"310883505446060274480033612234430359119",
"89690686453314892191285554343431792733",
"327082981813943561463663604999286033550"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"source": "https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495",
"target": {
"function": "calculateAgreement",
"file": "core/src/main/java/org/bouncycastle/crypto/agreement/DHAgreement.java"
},
"id": "CVE-2016-1000346-c8882255",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "53976787455240508373319660947458464549",
"length": 363.0
},
"signature_type": "Function"
},
{
"source": "https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495",
"target": {
"function": "engineDoPhase",
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyAgreementSpi.java"
},
"id": "CVE-2016-1000346-cd52c97d",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "244681075118881995139948659880094147934",
"length": 710.0
},
"signature_type": "Function"
},
{
"source": "https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495",
"target": {
"function": "processBlock",
"file": "core/src/main/java/org/bouncycastle/crypto/engines/IESEngine.java"
},
"id": "CVE-2016-1000346-d3dd71ee",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "38126411453766291090656615694241384214",
"length": 1153.0
},
"signature_type": "Function"
},
{
"source": "https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495",
"target": {
"function": "validate",
"file": "core/src/main/java/org/bouncycastle/crypto/params/DHPublicKeyParameters.java"
},
"id": "CVE-2016-1000346-f57f7783",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "294753607132051936417133149090441060056",
"length": 304.0
},
"signature_type": "Function"
},
{
"source": "https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495",
"target": {
"file": "core/src/main/java/org/bouncycastle/crypto/agreement/DHBasicAgreement.java"
},
"id": "CVE-2016-1000346-fdbfca4c",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"141517833331437601801592367898136557009",
"309931093022895145803688354984544284760",
"3967280219442368444225507890269770444",
"75290530100668902047193846978028414698",
"128217625286592271576687871452531548507",
"40245379897581345704545044998679275450",
"100000684600657234182419395507310346326"
],
"threshold": 0.9
},
"signature_type": "Line"
}
]