Bouncy Castle CVE-2015-7940 Information Disclosure Vulnerability

Bouncy Castle is prone to an information disclosure vulnerability.

An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks.

Information

Bugtraq ID: 79091
Class: Design Error
CVE: CVE-2015-7940

Remote: Yes
Local: No
Published: Nov 09 2015 12:00AM
Updated: Apr 19 2017 04:04PM
Credit: Horst Görtz
Vulnerable: Redhat JBoss Fuse 6.2
Redhat JBoss Fuse 6.1.0
Redhat JBoss Fuse 6.0.0
Oracle Virtual Desktop Infrastructure 3.3
Oracle Virtual Desktop Infrastructure 3.2
Oracle Retail Open Commerce Platform 6.0
Oracle Retail Open Commerce Platform 5.3
Oracle Retail Open Commerce Platform 5.1
Oracle Retail Open Commerce Platform 5.0
Oracle Retail Open Commerce Platform 4.0
Oracle PeopleSoft Enterprise PeopleTools 8.55
Oracle PeopleSoft Enterprise PeopleTools 8.54
Oracle MICROS Lucas 2.9.5
Oracle MICROS Lucas 2.9.4
Oracle MICROS Lucas 2.9.3
Oracle MICROS Lucas 2.9.2
Oracle MICROS Lucas 2.9.1
Oracle Insurance IStream 4.3.2
Oracle FLEXCUBE Universal Banking 12.2
Oracle FLEXCUBE Universal Banking 12.1
Oracle FLEXCUBE Universal Banking 12.0.3
Oracle FLEXCUBE Universal Banking 12.0.2
Oracle FLEXCUBE Universal Banking 12.0.1
Oracle FLEXCUBE Universal Banking 11.4
Oracle FLEXCUBE Universal Banking 11.3
Oracle Enterprise Manager Base Platform 13.2.0.0
Oracle Enterprise Manager Base Platform 13.1.0.0
Oracle Enterprise Manager Base Platform 12.1.0.5
Oracle Enterprise Manager 12.2.2
Oracle Enterprise Manager 12.1.4
Oracle Communications Indexing and Search Service 1.0.5.28.0
Oracle Communications Indexing and Search Service 1.0.5.26.0
Oracle Communications Indexing and Search Service 1.0.5.25.0
Oracle Application Testing Suite 12.5.0.2
openSUSE openSUSE 13.2
openSUSE openSUSE 13.1
openSUSE Leap 42.1
IBM WebSphere Cast Iron 7.0
IBM WebSphere Cast Iron 7.5.0.1
IBM WebSphere Cast Iron 7.5.0.0
IBM WebSphere Cast Iron 7.0.0.3
IBM WebSphere Cast Iron 7.0.0.2
IBM WebSphere Cast Iron 7.0.0.1
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
Bouncycastle Bouncy Castle Crypto Package 1.50

Not Vulnerable: Oracle Virtual Desktop Infrastructure 3.5.3
Bouncycastle Bouncy Castle Crypto Package 1.51

References:

• Bouncy Castle Homepage (The Legion of the Bouncy Castle)
  
• Critical Patch Security Advisory - October 2016 (Oracle)
  
• openSUSE-SU-2015:1911-1: important: Security update for bouncycastle (OpenSUSE)
  
• Oracle Critical Patch Update Advisory - April 2017 (Oracle)
  
• Oracle Critical Patch Update Advisory - January 2017 (Oracle)
  
• Practical Invalid Curve Attacks (Horst Görtz)
  
• swg21975234: Open-source Bouncy Castle vulnerability affects IBM® WebSphere Cast (IBM)
  

Source: www.securityfocus.com