CVE-2016-1000345
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000345
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-1000345.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2016-1000345
- Aliases
- Downstream
- Related
- Published
- 2018-06-04T21:29:00Z
- Modified
- 2025-08-09T20:01:27Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
- References
-
- https://access.redhat.com/errata/RHSA-2018:2669
- https://access.redhat.com/errata/RHSA-2018:2927
- https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35#diff-4439ce586bf9a13bfec05c0d113b8098
- https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
- https://security.netapp.com/advisory/ntap-20181127-0004/
- https://usn.ubuntu.com/3727-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
Affected packages
Debian:11 / bouncycastle
Package
- Name
- bouncycastle
- Purl
- pkg:deb/debian/bouncycastle?arch=source
Debian:12 / bouncycastle
Package
- Name
- bouncycastle
- Purl
- pkg:deb/debian/bouncycastle?arch=source
Debian:13 / bouncycastle
Package
- Name
- bouncycastle
- Purl
- pkg:deb/debian/bouncycastle?arch=source
Debian:14 / bouncycastle
Package
- Name
- bouncycastle
- Purl
- pkg:deb/debian/bouncycastle?arch=source
Git / github.com/bcgit/bc-java
Affected ranges
- Type
- GIT
- Repo
- https://github.com/bcgit/bc-java
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2016-1000345-0b5f2f41",
"target": {
"file": "prov/src/test/java/org/bouncycastle/jce/provider/test/ECIESTest.java",
"function": "doTest"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "179002864394440125546296262141155963161",
"length": 1187.0
}
},
{
"id": "CVE-2016-1000345-36f7bd6b",
"target": {
"file": "core/src/main/java/org/bouncycastle/crypto/engines/IESEngine.java"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"257110398682481433913646121550467971355",
"275139457713088889193496192732839408392",
"120141119862494393332871221362606746459",
"98555545717287343597579031218036269416",
"262476176903423455415683873012012649757",
"236126975585969529256452292452654775703",
"228301448613255919213778006023918460002",
"199421667013008401166618630730784820060",
"181461491718249540226561462182354560729",
"208000640208179450921284794371222839393",
"121144880633302981805051983132905184195",
"48197964834373264991007164130497019958",
"250237296400504758329293754435434615416",
"323887388262990516327055875232228152350",
"91050259802795828121732650066675038719",
"219051996476605821750504285082147601464",
"221693319369876007668554799880357733237",
"249750791218091338535881837042703222390",
"211969297003247685384433616757851430931",
"335415331135937872129565386495268784166",
"37725671665673594001442632990016917464",
"279802053105416869716461603979060293224",
"255106541170989648718137929315627056163",
"59195640244517296077674599513913355302",
"174207722993317205854293454222599602538",
"18488347521554329033201535546803919389",
"312080259166499941131388615288774051616",
"47375795903788633760467768421859086921",
"74003011321786277715222864921226148487",
"226430299379077087770240709193272193524",
"44135455413434759346681526103352390987",
"44835840931507247733801529421482895914",
"190126394566284959000953682963277532720",
"125430739925203657684916805415748399891",
"114646932524859317925736748461841160392"
],
"threshold": 0.9
}
},
{
"id": "CVE-2016-1000345-60ff6d44",
"target": {
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java",
"function": "getCause"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "39089181724069741817461182154925503651",
"length": 33.0
}
},
{
"id": "CVE-2016-1000345-8b9c8e57",
"target": {
"file": "prov/src/test/java/org/bouncycastle/jce/provider/test/DHIESTest.java"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"133697866731151265672225680018524328357",
"53940337058669385995677821186204241179",
"162587652367991775188636353534051259748",
"149242514917829256206034277858664344451",
"83129615900509335757111178825201322553",
"131610245248648995088831754171242197935",
"282655947336841952086215302463114604351"
],
"threshold": 0.9
}
},
{
"id": "CVE-2016-1000345-950318c8",
"target": {
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"321624275237868812560358200503511340568",
"252992669711907532151740084371513059315",
"215725833295398530877526940570012947649",
"242807135362491364543837791708042129235",
"108091918453620955508796412346085011476",
"16206430862202479163469620850912983262",
"92322523150649324961125601007102148471",
"311052508947229842446104995077956063146",
"108091918453620955508796412346085011476",
"16206430862202479163469620850912983262",
"92322523150649324961125601007102148471",
"324033912280635039277495668616057300842",
"138557350505491822280647072120731655818",
"269107568148865735204505861242477462061",
"92322523150649324961125601007102148471",
"179760790584636649966758999776519408882"
],
"threshold": 0.9
}
},
{
"id": "CVE-2016-1000345-9b7ad954",
"target": {
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"290884778490768764010015169458877424153",
"12026916305708033123102667084846653426",
"314599721665988624857881943306815957432",
"119637279559202494723928472861109497518",
"270343360284056525849813041168651093009",
"277493311233249594815580003648280355773",
"148073170635695901140804734600411668348",
"10301837253880849880060823707725890398",
"132332263344578338766337379761451053465",
"28602299092353429804920981594400323051",
"135704388376014737888555534907436447735",
"226859003874278127015997238644392693493",
"123264274131735558900654989779005693854",
"186515462493508327284713194033878487063",
"119192621400126891672851326105264979977",
"329151139604705197224402627348618301137"
],
"threshold": 0.9
}
},
{
"id": "CVE-2016-1000345-a5854ea3",
"target": {
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java",
"function": "engineDoFinal"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "331106654742969245226299777496253548095",
"length": 2183.0
}
},
{
"id": "CVE-2016-1000345-c18bba17",
"target": {
"file": "prov/src/test/java/org/bouncycastle/jce/provider/test/DHIESTest.java",
"function": "doTest"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "140118185031147262802754739786142862484",
"length": 2193.0
}
},
{
"id": "CVE-2016-1000345-e17c2391",
"target": {
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java",
"function": "engineDoFinal"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "276611188113432688644734577460184145416",
"length": 1844.0
}
},
{
"id": "CVE-2016-1000345-e1d26986",
"target": {
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java",
"function": "getOutput"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "251689136952030208781600165520003599649",
"length": 330.0
}
},
{
"id": "CVE-2016-1000345-e6278a9e",
"target": {
"file": "core/src/main/java/org/bouncycastle/crypto/engines/IESEngine.java",
"function": "decryptBlock"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "56844928725221502314709720318495311403",
"length": 2395.0
}
},
{
"id": "CVE-2016-1000345-ef7a1bed",
"target": {
"file": "prov/src/test/java/org/bouncycastle/jce/provider/test/ECIESTest.java"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"106553318140571015030369342386114195205",
"321700837721083068679241337587510366552",
"194927096250702901968581347171630401887",
"336501805394824774452202121353260409290",
"164122908957551891829280440650956902217",
"5365219131925419911924139518069086668"
],
"threshold": 0.9
}
},
{
"id": "CVE-2016-1000345-f18fdfc7",
"target": {
"file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java"
},
"source": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35",
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"117156778294805355372990168580555487373",
"57634547334449502833002644437908286369",
"125211612767327776522542551602816523662",
"270647614890504322549047003157980368283",
"108091918453620955508796412346085011476",
"16206430862202479163469620850912983262",
"92322523150649324961125601007102148471",
"311052508947229842446104995077956063146",
"76996426437389174060864800108914609078",
"166047082815084493065887684215548931860",
"108091918453620955508796412346085011476",
"16206430862202479163469620850912983262",
"92322523150649324961125601007102148471",
"324033912280635039277495668616057300842",
"168158200681690004389575701854465484737",
"138557350505491822280647072120731655818",
"269107568148865735204505861242477462061",
"92322523150649324961125601007102148471",
"179760790584636649966758999776519408882"
],
"threshold": 0.9
}
}
]
}