[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ESA-2016-154: RSA BSAFE® Crypto-J Multiple Security Vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2016-154: RSA BSAFE® Crypto-J Multiple Security Vulnerabilities

EMC Identifier:  ESA-2016-154

CVE Identifier:  CVE-2016-8212, CVE-2016-8217
 
Severity Rating: See below for scores for individual issues
 
Affected Products:
?	RSA BSAFE Crypto-J versions prior to 6.2.2
 
Unaffected Products:
?	RSA BSAFE Crypto-J 6.2.2
 
Summary:
RSA announces security fixes to RSA BSAFE® Crypto-J designed to address two security vulnerabilities in the Crypto-J JCE cryptographic provider.
 
Details:
 
?	Improper OCSP Validation Vulnerability ( CVE-2016-8212)
OCSP responses have two time values; thisUpdate and nextUpdate. These specify a validity period, however both values are optional. Crypto-J treats the lack of a nextUpdate as indicating that the OCSP response is valid indefinitely instead of restricting its validity for a brief period surrounding the thisUpdate time. This vulnerability is similar to the issue described in CVE-2015-4748.
CVSS v3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

?	PKCS#12 Timing Attack Vulnerability (CVE-2016-8217)
A possible timing attack could be carried out by modifying a PKCS#12 file that has an integrity MAC for which the password is not known. An attacker could then feed the modified PKCS#12 file to the toolkit and guess the current MAC one by at a time. This is possible because Crypto-J uses a non-constant-time method to compare the stored MAC with the calculated MAC. This vulnerability is similar to the issue described in CVE-2015-2601.
CVSS v3 Base Score: 5.3  (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
 
Recommendation:
 
The below version contains a fix for the above issues
?	RSA BSAFE Crypto-J 6.2.2 and later
 
RSA recommends affected customers upgrade to the version listed above at the earliest opportunity.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYiiGvAAoJEHbcu+fsE81ZJ0IH/3r30u14Q5OGi0fImLikb1kI
Hi2SVY+oO56eDtB1H5ivjWqvCabTy9KiwcsPTLx7eGO88ujQ5a0/BH3FjQooCUOM
spa6f8OEKtjhUtJrDS0Hi0UxRcoPlpsuqNnSdrR50/5lgkSfVD2neGCDq3iXyVcU
2uAkxQ9VvETJ5y/R7kEWIrr4QfUZXvb4N9/oclIbsy2hLPYuGN/rx9K2xuN3b0yT
0XaDvL0N08IPrZJbUvTW0C7i0qexaVWMVUqYMDdq2jrnp0X4t5VwlXgO/hOD3HRo
6bvvePtf4N2sipEu3bc0g8JuuzOzy0Xz3wQdEKtUf1qXDa9+RiY+uiDdPY9EJyY=
=JEwf
-----END PGP SIGNATURE-----