CVE-2016-1000340
Carry Propagation Bug vulnerability in bcprov-jdk14 (Maven)
What is CVE-2016-1000340 About?
This vulnerability is a carry propagation bug in the Bouncy Castle JCE Provider's raw math classes, specifically affecting elliptic curve scalar multiplications. It can lead to rare, spurious calculations, potentially impacting the correctness of cryptographic operations. While the errors would likely be detected by output validation, the presence of incorrect calculations poses a risk to cryptographic integrity, but exploitation is difficult due to the rarity of the bug and existing detection mechanisms.
Affected Software
- org.bouncycastle:bcprov-jdk14
- >1.51, <1.56
- org.bouncycastle:bcprov-jdk15
- >1.51, <1.56
- org.bouncycastle:bcprov-jdk15on
- >1.51, <1.56
Technical Details
The vulnerability stems from a carry propagation bug introduced in Bouncy Castle JCE Provider versions 1.51 to 1.55 within the implementation of squaring for several org.bouncycastle.math.raw.Nat??? classes. These affected classes are foundational to the custom elliptic curve implementations found in org.bouncycastle.math.ec.custom.**. The bug could cause incorrect results during elliptic curve scalar multiplications. Although such errors are described as rare in general usage, they represent a potential cryptographic weakness. The impact is somewhat mitigated by the presence of output validation for scalar multipliers, which is designed to detect these spurious calculations with high probability, suggesting that incorrect outputs might be identified before use.
What is the Impact of CVE-2016-1000340?
Successful exploitation may allow attackers to cause incorrect cryptographic calculations, potentially leading to a weakening of cryptographic security or denial of service through failed operations if detected.
What is the Exploitability of CVE-2016-1000340?
Exploitation of this vulnerability is considered difficult and rare. It requires a deep understanding of elliptic curve cryptography and the specific implementation details of the Bouncy Castle library's raw math operations. There are no authentication or privilege requirements to trigger the bug, as it resides in the core calculation logic, making it a remote vulnerability if an attacker can feed malicious input that triggers the specific conditions for the carry propagation error. However, the existing output validation for scalar multipliers means that even if triggered, the incorrect result would likely be detected, limiting immediate offensive exploitation beyond potential denial of service from failed computations. The rarity of the bug's occurrence further reduces its exploitability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-1000340?
Available Upgrade Options
- org.bouncycastle:bcprov-jdk15on
- >1.51, <1.56 → Upgrade to 1.56
- org.bouncycastle:bcprov-jdk14
- >1.51, <1.56 → Upgrade to 1.56
- org.bouncycastle:bcprov-jdk15
- >1.51, <1.56 → Upgrade to 1.56
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2018:2669
- https://access.redhat.com/errata/RHSA-2018:2927
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000340
- https://access.redhat.com/errata/RHSA-2018:2927
- https://security.netapp.com/advisory/ntap-20181127-0004
- https://github.com/bcgit/bc-java/commit/790642084c4e0cadd47352054f868cc8397e2c00#diff-e5934feac8203ca0104ab291a3560a31
- https://osv.dev/vulnerability/GHSA-r97x-3g8f-gx3m
- https://github.com/bcgit/bc-java/commit/790642084c4e0cadd47352054f868cc8397e2c00#diff-e5934feac8203ca0104ab291a3560a31
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://security.netapp.com/advisory/ntap-20181127-0004/
What are Similar Vulnerabilities to CVE-2016-1000340?
Similar Vulnerabilities: CVE-2020-15522 , CVE-2015-7940 , CVE-2016-1000339 , CVE-2018-5383 , CVE-2019-13627
