Description

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

Remediation

References

https://github.com/bcgit/bc-java/wiki/CVE-2020-28052

https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E

https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E

https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3E

https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab6451213e69e43734eadc%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3E

https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3E

https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3E

https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3E

https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3E

https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3E

https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6ffa6eff50d2a2d%40%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3E

https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3E

https://www.bouncycastle.org/releasenotes.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/

Related Vulnerabilities

CVE-2022-31198 Vulnerability in npm package @openzeppelin/contracts-upgradeable

CVE-2022-40764 Vulnerability in npm package snyk-go-plugin

CVE-2021-21278 Vulnerability in npm package rsshub

CVE-2021-39234 Vulnerability in maven package org.apache.ozone:ozone-common

CVE-2023-41080 Vulnerability in maven package org.apache.tomcat:tomcat

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Patch Third Party Advisory Release Notes Vendor Advisory Exploit NVD-CWE-Other