CVE-2018-5382
CVSS V2 Low 3.6
CVSS V3 Medium 4.4
Description
The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type "BKS-V1" was introduced in 1.49. It should be noted that the use of "BKS-V1" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.
Overview
- CVE ID
- CVE-2018-5382
- Assigner
- cret@cert.org
- Vulnerability Status
- Analyzed
- Published Version
- 2018-04-16T14:29:01
- Last Modified Date
- 2022-04-20T15:31:06
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:*:*:*:*:*:*:*:* | 1 | OR | 1.49 | |
| cpe:2.3:a:redhat:satellite:6.4:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:redhat:satellite_capsule:6.4:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:L/AC:L/Au:N/C:P/I:P/A:N
- Access Vector
- LOCAL
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- NONE
- Base Score
- 3.6
- Severity
- LOW
- Exploitability Score
- 3.9
- Impact Score
- 4.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Attack Vector
- LOCAL
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- LOW
- Availability Impact
- NONE
- Base Score
- 4.4
- Base Severity
- MEDIUM
- Exploitability Score
- 1.8
- Impact Score
- 2.5
References
| Reference URL | Reference Tags |
|---|---|
| https://www.kb.cert.org/vuls/id/306792 | Third Party Advisory US Government Resource |
| https://www.bouncycastle.org/releasenotes.html | Release Notes Vendor Advisory |
| http://www.securityfocus.com/bid/103453 | Third Party Advisory VDB Entry |
| https://access.redhat.com/errata/RHSA-2018:2927 | Third Party Advisory |
| https://www.oracle.com/security-alerts/cpuoct2020.html | Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2018-5382 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5382 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-04-20 16:58:34 | Added to TrackCVE | |||
| 2022-12-03 04:52:57 | cert@cert.org | cret@cert.org | CVE Assigner | updated |
| 2022-12-03 04:52:57 | 2018-04-16T14:29Z | 2018-04-16T14:29:01 | CVE Published Date | updated |
| 2022-12-03 04:52:57 | 2022-04-20T15:31:06 | CVE Modified Date | updated | |
| 2022-12-03 04:52:57 | Analyzed | Vulnerability Status | updated |