{ "threat_severity" : "Moderate", "public_date" : "2021-05-20T00:00:00Z", "bugzilla" : { "description" : "bouncycastle: Timing issue within the EC math library", "id" : "1962879", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1962879" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-367", "details" : [ "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.", "A flaw was found in bouncycastle. A timing issue within the EC math library can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures." ], "affected_release" : [ { "product_name" : "Red Hat EAP-XP 2.0.0 via EAP 7.3.x base", "release_date" : "2021-07-15T00:00:00Z", "advisory" : "RHSA-2021:2755", "cpe" : "cpe:/a:redhat:jbosseapxp", "package" : "bouncycastle" }, { "product_name" : "Red Hat Fuse 7.10", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5134", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "bouncycastle" }, { "product_name" : "Red Hat Fuse 7.8.1", "release_date" : "2021-04-27T00:00:00Z", "advisory" : "RHSA-2021:1401", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "RHINT Camel-K 1.6.4", "release_date" : "2022-03-23T00:00:00Z", "advisory" : "RHSA-2022:1029", "cpe" : "cpe:/a:redhat:integration:1", "package" : "bouncycastle" }, { "product_name" : "RHINT Camel-Q 2.2.1", "release_date" : "2022-03-22T00:00:00Z", "advisory" : "RHSA-2022:1013", "cpe" : "cpe:/a:redhat:camel_quarkus:2.2.1" } ], "package_state" : [ { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "bouncycastle", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "karaf", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "spring-boot-2", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:camel_quarkus:2", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Will not fix", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Not affected", "package_name" : "bouncycastle", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-15522\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15522" ], "name" : "CVE-2020-15522", "csaw" : false }