SB2020110803 - Information disclosure in Bouncy Castle

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2020-26939)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to observable differences in behavior to error inputs within the org.bouncycastle.crypto.encodings.OAEPEncoding component in Legion of the Bouncy Castle BC. A remote attacker can obtain sensitive information about a private exponent by sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder. This causes the application to throw an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Remediation

Install update from vendor's website.

References

• https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1
• https://github.com/bcgit/bc-java/wiki/CVE-2020-26939
• https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html