Overview
- Description
- The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type "BKS-V1" was introduced in 1.49. It should be noted that the use of "BKS-V1" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.
- Source
- cret@cert.org
- NVD status
- Modified
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 4.4
- Impact score
- 2.5
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 3.6
- Impact score
- 4.9
- Exploitability score
- 3.9
- Vector string
- AV:L/AC:L/Au:N/C:P/I:P/A:N
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C6428A9C-47F6-48F9-9388-F4FFDDBF7420",
"versionEndIncluding": "1.49"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:satellite:6.4:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FB283C80-F7AF-4776-8432-655E50D7D65B"
},
{
"criteria": "cpe:2.3:a:redhat:satellite_capsule:6.4:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "461407B5-C167-4DE1-A934-FD5ADFB4AD4E"
}
],
"operator": "OR"
}
]
}
]