CVE-2016-1000342
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000342
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-1000342.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2016-1000342
- Aliases
- Downstream
- Related
- Published
- 2018-06-04T13:29:00Z
- Modified
- 2025-08-09T20:01:27Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
- References
-
- https://access.redhat.com/errata/RHSA-2018:2669
- https://access.redhat.com/errata/RHSA-2018:2927
- https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647#diff-25c3c78db788365f36839b3f2d3016b9
- https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
- https://security.netapp.com/advisory/ntap-20181127-0004/
- https://usn.ubuntu.com/3727-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
Affected packages
Debian:11 / bouncycastle
Package
- Name
- bouncycastle
- Purl
- pkg:deb/debian/bouncycastle?arch=source
Debian:12 / bouncycastle
Package
- Name
- bouncycastle
- Purl
- pkg:deb/debian/bouncycastle?arch=source
Debian:13 / bouncycastle
Package
- Name
- bouncycastle
- Purl
- pkg:deb/debian/bouncycastle?arch=source
Debian:14 / bouncycastle
Package
- Name
- bouncycastle
- Purl
- pkg:deb/debian/bouncycastle?arch=source
Git / github.com/bcgit/bc-java
Affected ranges
- Type
- GIT
- Repo
- https://github.com/bcgit/bc-java
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
{
"vanir_signatures": [
{
"digest": {
"line_hashes": [
"257425269983222656219842717844715799170",
"26163569507345588708699232633355024666",
"225570389164221845432034441669936621194",
"180875236743972398055858563081505182187"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Line",
"id": "CVE-2016-1000342-249f616d",
"target": {
"file": "core/src/main/java/org/bouncycastle/asn1/ASN1Integer.java"
}
},
{
"digest": {
"line_hashes": [
"215219807747928108828833443599509753831",
"137041855321333326620864517687760704463",
"312146796212084741363458877722545616664",
"333414212967175228106611218747642255707"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Line",
"id": "CVE-2016-1000342-46405252",
"target": {
"file": "core/src/main/java/org/bouncycastle/asn1/ASN1Enumerated.java"
}
},
{
"digest": {
"function_hash": "220933315659328942017981122338364204839",
"length": 1059.0
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Function",
"id": "CVE-2016-1000342-6a71e645",
"target": {
"function": "performTest",
"file": "core/src/test/java/org/bouncycastle/asn1/test/MiscTest.java"
}
},
{
"digest": {
"function_hash": "278734910691241586643841700662906844285",
"length": 312.0
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Function",
"id": "CVE-2016-1000342-748b62ce",
"target": {
"function": "decode",
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/ec/SignatureSpi.java"
}
},
{
"digest": {
"function_hash": "166629354532108070822167463130104286425",
"length": 219.0
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Function",
"id": "CVE-2016-1000342-8e601e0e",
"target": {
"function": "performTest",
"file": "prov/src/test/java/org/bouncycastle/jce/provider/test/ECDSA5Test.java"
}
},
{
"digest": {
"line_hashes": [
"319832358133027760288406488179077845721",
"161554379034724302030412672270464084874",
"135866590029664887321722074693148922208",
"282554236972122305574605806433117152527",
"98617986319438485454557457878854810841",
"15230371495072646291502884156367326882",
"109391545642665904104121926837062339161",
"329942142184009405323326196099659975311",
"119261302162161531581944348082986241849",
"176395810663714459922131484924591176350",
"45882598256556373638042035379670621227",
"173954566142468940627506458882626977811"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Line",
"id": "CVE-2016-1000342-907612d2",
"target": {
"file": "core/src/test/java/org/bouncycastle/asn1/test/MiscTest.java"
}
},
{
"digest": {
"function_hash": "100393218655753613535427303270331315545",
"length": 316.0
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Function",
"id": "CVE-2016-1000342-93adda44",
"target": {
"function": "derDecode",
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java"
}
},
{
"digest": {
"function_hash": "212919764925938076734138100248791307244",
"length": 73.0
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Function",
"id": "CVE-2016-1000342-a0313d0b",
"target": {
"function": "ASN1Enumerated",
"file": "core/src/main/java/org/bouncycastle/asn1/ASN1Enumerated.java"
}
},
{
"digest": {
"function_hash": "87277759174644206792808356571638029592",
"length": 113.0
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Function",
"id": "CVE-2016-1000342-c4efb6b8",
"target": {
"function": "ASN1Integer",
"file": "core/src/main/java/org/bouncycastle/asn1/ASN1Integer.java"
}
},
{
"digest": {
"line_hashes": [
"51575529188658924818262151907613048932",
"53804009320531330339798477897393208475",
"116766493604351544922730511529458697490",
"296219117245715262958522001024846181724",
"260037792847250757838585266527247876251",
"106023638279590469487116763667129695452",
"216554689925364997874886150330321602023",
"79174272103476305712229887461463509162"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Line",
"id": "CVE-2016-1000342-c55c799d",
"target": {
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java"
}
},
{
"digest": {
"line_hashes": [
"24550506322454198274180104319250219573",
"10870921454543669044138594081539810575",
"137058703302594774882029851823261879650",
"109219649528369884105762375967863617225",
"12542597924490212169347186152649989443",
"250225563269739024776859862032011025272",
"162611985868095469436374288174448598731",
"301298247282705924415091856729898431427",
"270322147511697990977939735534363583718",
"267723631221442801979097145696147437307",
"333754584384245501510468932543670420434",
"95775528828519581547333337077531557901",
"255444633053792748649047472320548636514",
"77702661047941994212636052582839756337",
"218362899406139982128665981079495061687",
"267701081813205585641020875484255778466",
"282900258518192890822833212550327400586",
"42247563924466169329151964419179810317",
"305156217157970354116377045128032748556",
"84381330538997707181186662728407857200",
"21151889711636680407941018529401413623",
"146688562715650779932072815864015335946",
"45791118173062655934413331128136442056",
"252234620855861422697330095988304075064",
"98827027973841999852147393637186809144",
"37778187173338366173887991381752707035",
"255060137682497709733805931940840276922",
"192152789737413084231629543229019950482",
"146497084855399997216800535950748212207",
"8601816038566739568701924393377900104",
"239107758723751931934210481455025413734",
"6210276050360086999357623721106798191",
"189720666618071301287421961960704805124",
"89545306349454993943609960862077008187",
"150187605613290915177503421566354612678",
"45432455463430162153393867276250187723",
"49405386426579685105467801073350762743",
"243066268558506473201644747020961881099",
"314251582956150229583095294837805689876",
"280781712862262370938980245438683006697",
"234072376088645195498147807289837054814",
"154394356217229007638643697429246061739",
"201766004821667736829225520549987290507",
"132173023120433608733139929765157354008",
"106217611029078652437124474330450631094",
"68055518102091055513090752946728865271",
"33321909900317436863388198582832936542",
"50654284557559235614672983468154856746",
"95879223297704032598828566594763070999",
"274802503416377680511730102301217745807",
"263277826238649455317368260817011299672",
"316821212726901757359000468453287419169",
"299615412578062664442550638220156875345",
"333234319198126805377435987901462257828",
"320902565554811587481147828894186492091",
"83814266553281279233905939109741963617",
"322866554232823701751711121996053268451",
"202911388302372306351971113799253465154",
"94367309541019469473522573728954937661",
"311207748570323304208045646877195483088",
"107455127301978438050229771050425880562",
"192942889693156414466677728326555651642",
"192355467144009100059245327819035284629",
"139953110793753575491031031278376858613",
"230698688361582889158800829169497771335",
"102679870586076814005990154480374177306",
"252011344313911923086841341979286042550",
"43796381533312842743268473867235076700",
"285509233014735751526516145254854606639",
"54723454569702465699575746741766715382",
"180090142483310392355458193778070152056",
"119697028093917144273703221409118316661",
"39236455861373914212635252980788364997",
"43364949489922472630736115498544946726",
"27868396786232242728198712402480171116",
"66830154731983965891476668575052368787",
"137115198540682716104386204495433079369",
"151770695493601038897032322474244540020",
"320915024508569044507367704018422438589",
"324736032187999448721509456958700943383",
"46767811646565222802071529149289021957",
"112144537612813678861413983900222896804",
"198180276975540181065544278131915706770",
"49434010950524073634862115041030128125",
"45432455463430162153393867276250187723",
"49405386426579685105467801073350762743",
"243066268558506473201644747020961881099",
"314251582956150229583095294837805689876",
"280781712862262370938980245438683006697",
"234072376088645195498147807289837054814",
"1951800543720477837056577763739793521",
"205281333345782348683605077537691345660",
"23518148289621097149341695395388438283",
"89146136735038338387541002370330274978",
"289077585363108134731906429160112479101",
"167132570196262597453948642033293131747",
"195402957403452026280617226773209080323",
"199849477526740800518428973338713971574",
"230550055001624889933335358727706878595",
"18078917092124440131946864326442485505",
"243249246988460866648517857909074427459",
"100844139142952997850705415219414928786",
"283775190167060732858653772775568980129",
"275855504869858235684156305681543672260",
"141583259393955081835319688182619216046",
"322350508892420032859618633818442533884",
"72497349367352800303915748813017780801",
"273860486387223142705826350849608048263",
"57701850416043928046356745466103280094",
"70348778597374679643851716522146806164",
"114899832988249711298528525563874673626",
"174331837681323776013817745202389337023",
"44445359183843133108750582288676919656",
"152328924997472999216818251350142484606",
"204396789255110549200529091642817964368",
"86765470063216216284500162679793115768",
"197700397733475967827882809781018692235",
"314456863513503196942591252478574911082",
"228701181864047348202228418062034103138",
"126974711024112313829153056160283257896",
"72773335433136164633509571724834657277",
"136626994454780660102234034049867882203",
"257598025120703473450111619719624269547",
"284034265740311913517519924109122242081",
"288862661286002856887139988812115643269",
"155084060787730193507350756703944211816",
"183664752886138785649697969913334019058",
"237392234714405169957697994219540413220",
"145532043215669667427752749012318836",
"191111942178987437274680594523147288432",
"38948671665698212368545524807535200060",
"320113562205362922121715964658120880707",
"90210092506469579500330739982440998903",
"150755779915039616650982950186322316159",
"190242612720004326271248521609149040464",
"300254822935532982500282356011048396573",
"309127774862841362053757758353499807868",
"22883070364637283545061955032372669785",
"296742567743586948105516980100598221485",
"257507488683985178861304255482563901659",
"212435565397029009515188204870636354136",
"128402622077010041092948694919035807142",
"256229870397116995811119921481405601195",
"150729929333214475714821393679993543265",
"201239472720753378471368147852545645687",
"50348890445711158276393604465613099928",
"226968921220429700069905001694023300971",
"262026129866007246631841909656875444841",
"169543724255397462280321885256570424456",
"236252312362542923467955634389658884135",
"237666651887395215504419744054639804892",
"321286008977001109901347496280261631878",
"297596651538282087114877033152352586141",
"52788950046790536061019508819507385495",
"334717687984906351876015017282026947151",
"87761432312862012814286132314525502506",
"316847827313078930434752910257781693261",
"4968908499089915763853188923857963104",
"19204610291099095136410975051020036907",
"161374838074741889965706815960646264073",
"321481009807618678290061659785401357103",
"58947739515433813260128220652485392803"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Line",
"id": "CVE-2016-1000342-c80ee0ec",
"target": {
"file": "prov/src/test/java/org/bouncycastle/jce/provider/test/ECDSA5Test.java"
}
},
{
"digest": {
"line_hashes": [
"177096546541748867367699780445057275796",
"175169187112491961158928739515511190834",
"237037185336860219074247505274982189088",
"8787383257664020889431354964410337547",
"38540829165118039058582367117072218841",
"264167280836535600889299342201772795234",
"303454827840705382374021863600642451851",
"5283545115524138254617159394901560465",
"54339207175021658509884097720332228201",
"218625212133909611484304573071760215628",
"267096831272934439079272463386709377869",
"260621397118956908602503841567252636523"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Line",
"id": "CVE-2016-1000342-deb37df3",
"target": {
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/ec/SignatureSpi.java"
}
},
{
"digest": {
"line_hashes": [
"147470155920277528110411409437537909400",
"271712012220061427488427756957726932476",
"190245558476828372758443146424986729486",
"179693620519994112302358845783008834318"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647",
"signature_type": "Line",
"id": "CVE-2016-1000342-ff61f771",
"target": {
"file": "prov/src/test/java/org/bouncycastle/jce/provider/test/DSATest.java"
}
}
]
}