Closed ccoltx closed 2 years ago
Not sure if I'm missing something but currently we're using Bouncycastle 1.66. The CVE you linked above states that:
Bouncy Castle BC Java before 1.66, BC ... have a timing issue within the EC math library ...
This issue seems to be fixed in BC versions 1.66 and later: https://github.com/bcgit/bc-java/wiki/CVE-2020-15522
However there will be a release containing some updated libraries soon, so Bouncycastle could be updated as well.
You are correct. Unfortunately I referenced the wrong CVE, it should have been: https://nvd.nist.gov/vuln/detail/CVE-2020-28052
https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15on/1.66
@ccoltx there is a new release using Bouncycastle 1.70 available on Maven Central:
https://search.maven.org/artifact/de.tk.opensource/secon-tool/1.1.1/jar
Thanks @loetifuss - I'm already using it.
The current bouncycastle version 1.6.4 has known CVE-2020-15522.
https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15on/1.64 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522
Update to 1.70