{
  "threat_severity" : "Moderate",
  "public_date" : "2015-09-14T00:00:00Z",
  "bugzilla" : {
    "description" : "bouncycastle: Invalid curve attack allowing to extract private keys",
    "id" : "1276272",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1276272"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-358",
  "details" : [ "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", "It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries." ],
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss A-MQ 6.3",
    "release_date" : "2016-10-06T00:00:00Z",
    "advisory" : "RHSA-2016:2036",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.3"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6.3",
    "release_date" : "2016-10-06T00:00:00Z",
    "advisory" : "RHSA-2016:2035",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss A-MQ 6",
    "fix_state" : "Affected",
    "package_name" : "fabric8",
    "cpe" : "cpe:/a:redhat:jboss_amq:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "fabric8",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Will not fix",
    "package_name" : "bouncycastle",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager",
    "fix_state" : "Will not fix",
    "package_name" : "bouncycastle",
    "cpe" : "cpe:/a:rhel_sam:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-7940\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-7940" ],
  "name" : "CVE-2015-7940",
  "csaw" : false
}