CVE-2016-1000339
information leakage vulnerability in bcprov-jdk14 (Maven)
What is CVE-2016-1000339 About?
This vulnerability in Bouncy Castle JCE Provider (version 1.55 and earlier) allows for information leakage during AES encryption. The `AESFastEngine` uses a table-driven approach, which can reveal information about the AES key through monitoring CPU data channel accesses. This side-channel leakage compromises the confidentiality of the key.
Affected Software
- org.bouncycastle:bcprov-jdk14
- <1.56
- org.bouncycastle:bcprov-jdk15
- <1.56
- org.bouncycastle:bcprov-jdk15on
- <1.56
Technical Details
In Bouncy Castle JCE Provider versions 1.55 and earlier, the AESFastEngine class, primarily used for AES encryption, was implemented using a highly table-driven approach. This design, while efficient, introduces a side-channel vulnerability: when the data channel on the CPU is monitored, the cache access patterns or timing of these table lookups become distinguishable. These patterns are correlated with the operations involving the AES key. Consequently, an attacker observing these side channels can deduce information about the AES key being used. Although AESEngine also exhibited some leakage, it was less substantial. The core mechanism is that the execution behavior (e.g., memory access patterns, timing) of the AESFastEngine cryptographic operations is dependent on the secret key values, allowing for a differential analysis that leads to key recovery or partial key information leakage.
What is the Impact of CVE-2016-1000339?
Successful exploitation may allow attackers to gather information about the cryptographic keys being used in AES operations, potentially leading to the compromise of data confidentiality.
What is the Exploitability of CVE-2016-1000339?
Exploitation of this vulnerability is complex and requires advanced technical capabilities. It involves sophisticated side-channel attacks, such as monitoring CPU data channel accesses, cache timing, or power consumption during AES encryption operations. This is often a local attack, requiring either physical proximity to the target hardware or access to a shared execution environment (e.g., cloud instance, multi-tenant system) where an attacker can observe the CPU's behavior. No authentication or specific privileges within the application itself are typically required, but rather low-level system access or monitoring capabilities. Special conditions include the need for a precise, fine-grained observation of the system's runtime characteristics. The difficulty of setting up and executing such an attack makes the likelihood of exploitation low for general attackers, but it remains a significant risk in high-security environments against determined adversaries.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-1000339?
Available Upgrade Options
- org.bouncycastle:bcprov-jdk15on
- <1.56 → Upgrade to 1.56
- org.bouncycastle:bcprov-jdk14
- <1.56 → Upgrade to 1.56
- org.bouncycastle:bcprov-jdk15
- <1.56 → Upgrade to 1.56
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-c8xf-m4ff-jcxj
- https://security.netapp.com/advisory/ntap-20181127-0004/
- https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://access.redhat.com/errata/RHSA-2018:2669
- https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
- https://security.netapp.com/advisory/ntap-20181127-0004
- https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000339
- https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2
What are Similar Vulnerabilities to CVE-2016-1000339?
Similar Vulnerabilities: CVE-2013-5679 , CVE-2016-6887 , CVE-2017-5753 , CVE-2017-5715 , CVE-2017-5754
