ESA-2016-154: RSA BSAFE® Crypto-J Multiple Security Vulnerabilities EMC Identifier: ESA-2016-154 CVE Identifier: CVE-2016-8212, CVE-2016-8217 Severity Rating: See below for scores for individual issues Affected Products: • RSA BSAFE Crypto-J versions prior to 6.2.2 Unaffected Products: • RSA BSAFE Crypto-J 6.2.2 Summary: RSA announces security fixes to RSA BSAFE® Crypto-J designed to address two security vulnerabilities in the Crypto-J JCE cryptographic provider. Details: • Improper OCSP Validation Vulnerability ( CVE-2016-8212) OCSP responses have two time values; thisUpdate and nextUpdate. These specify a validity period, however both values are optional. Crypto-J treats the lack of a nextUpdate as indicating that the OCSP response is valid indefinitely instead of restricting its validity for a brief period surrounding the thisUpdate time. This vulnerability is similar to the issue described in CVE-2015-4748. CVSS v3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) • PKCS#12 Timing Attack Vulnerability (CVE-2016-8217) A possible timing attack could be carried out by modifying a PKCS#12 file that has an integrity MAC for which the password is not known. An attacker could then feed the modified PKCS#12 file to the toolkit and guess the current MAC one by at a time. This is possible because Crypto-J uses a non-constant-time method to compare the stored MAC with the calculated MAC. This vulnerability is similar to the issue described in CVE-2015-2601. CVSS v3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Recommendation: The below version contains a fix for the above issues • RSA BSAFE Crypto-J 6.2.2 and later RSA recommends affected customers upgrade to the version listed above at the earliest opportunity.
2017 m. vasario 8 d., trečiadienis
ESA-2016-154: RSA BSAFE® Crypto-J Multiple Security Vulnerabilities
Užsisakykite:
Rašyti komentarus (Atom)
Komentarų nėra:
Rašyti komentarą