CVE-2018-5382
The MITRE CVE dictionary describes this issue as:
Bouncy Castle BKS version 1 keystore (BKS-V1) files use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS-V1 keystore. All BKS-V1 keystores are vulnerable. Bouncy Castle release 1.47 introduces BKS version 2, which uses a 160-bit MAC.
Find out more about CVE-2018-5382 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Red Hat Product Security has rated this issue as having security impact of Low. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS v3 metrics
| CVSS3 Base Score | 4 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | Low |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Satellite 6.4 for RHEL 7 | RHSA-2018:2927 | 2018-10-16 |
| Red Hat Satellite 6.4 for RHEL 7 | RHSA-2018:2927 | 2018-10-16 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | bouncycastle | Will not fix |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-eclipse46-bouncycastle | Not affected |
| Red Hat Satellite 6 | bouncycastle | Will not fix |
| Red Hat JBoss EAP 7 | bouncycastle | Will not fix |
| Red Hat JBoss Data Virtualization 6 | bouncycastle | Not affected |
CVE description copyright © 2017, The MITRE Corporation