Bugs found by Project Wycheproof
See list of issues for details.
Package OpenJDK
Summary |
Credits |
CVE |
Upstream Acknowledgement |
Tests |
Biased DSA, leaks signing key |
Daniel Bleichenbacher |
CVE-2016-0695 |
Oracle Critical Patch Update April 2016 |
DsaTest: testDsaBias, testBiasSha1WithDSA |
GCM's timing attack, leaks auth key |
Quan Nguyen |
CVE-2016-3426 |
Oracle Critical Patch Update April 2016 |
N/A |
GCM updateAAD |
Quan nguyen |
N/A |
Oracle Critical Patch Update April 2016 |
AesGcmTest: testLateUpdateAAD |
GCM wrapped around counter, leaks auth key |
Quan Nguyen |
N/A |
Oracle Critical Patch Update April 2016 |
AesGcmTest: testWrappedAroundCounter |
DSA ArrayIndexOutOfBoundsException |
Daniel Bleichenbacher |
CVE-2016-5546 |
Oracle Critical Patch Update Jan 2017 |
DsaTest: testInvalidSignatures |
RSA OutOfMemoryError |
Daniel Bleichenbacher |
CVE-2016-5547 |
Oracle Critical Patch Update Jan 2017 |
RsaSignatureTest: testVectors |
DSA accepts modified signatures |
Daniel Bleichenbacher |
CVE-2016-5546 |
Oracle Critical Patch Update Jan 2017 |
DsaTest: testModifiedSignatures |
DSA Timing Attack |
Daniel Bleichenbacher |
CVE-2016-5548 |
Oracle Critical Patch Update Jan 2017 |
DsaTest: testTiming |
ECDSA accepts modified signatures |
Daniel Bleichenbacher |
CVE-2016-5546 |
Oracle Critical Patch Update Jan 2017 |
EcdsaTest: testModifiedSignatures |
ECDSA Timing Attack |
Daniel Bleichenbacher |
CVE-2016-5549 |
Oracle Critical Patch Update Jan 2017 |
EcdsaTest: testTiming |
Biased ECDSA |
Daniel Bleichenbacher |
|
|
Ecdsa: testBias |
Package Conscrypt
Summary |
Credits |
CVE |
Upstream Acknowledgement |
Tests |
ECDH Invalid Curve Attack |
Daniel Bleichenbacher |
N/A |
|
EcdhTest: multiple tests |
GCM IV reuse |
Daniel Bleichenbacher |
N/A |
|
AesGcmTest: testIvReuse |
GCM weak default tag length |
Quan Nguyen |
N/A |
|
AesGcmTest: testDefaultTagSizeIvParameterSpec |
Package BouncyCastle v1.55 and older
Summary |
Credits |
CVE |
Upstream Acknowledgement |
Tests |
v1.55 ECDH upstream fix was incomplete |
Daniel Bleichenbacher |
N/A |
|
Ecdh: multiple tests |
ECDHC Invalid curve attack |
Daniel Bleichenbacher |
N/A |
|
EcdhTest: testModifiedPublic,testModifiedPublicSpec, testWrongOrder |
v1.55 PKCS #1 RSA is more vulnerable to CCA attack |
Daniel Bleichenbacher |
N/A |
|
RsaTest: testExceptions |
Dhies uses unsafe ECB mode |
Daniel Bleichenbacher |
CVE-2016-1000344 |
|
DhiesTest |
ECIES use unsafe ECB mode by default for "ECIESWithAES" or "ECIESwithDESede" |
Daniel Bleichenbacher |
CVE-2016-1000352 |
|
EciesTest: testNotEcb, testDefaultEcies |
1.52 ECIESWithAES-CBC is vulnerable to padding oracle attack |
Daniel Bleichenbacher |
CVE-2016-1000345 |
|
EciesTest: testExceptions |
GCM reuses IV after doFinal() |
Daniel Bleichenbacher |
N/A |
|
|
ECDSA accepts invalid signatures |
Daniel Bleichenbacher |
CVE-2016-1000342 |
|
EcdsaTest: testModifiedSignatures |
DSA accepts invalid signatures |
Daniel Bleichenbacher |
CVE-2016-1000338 |
|
DsaTest: testModifiedsignatures |
DSA generates weak key |
Daniel Bleichenbacher |
CVE-2016-1000343 |
|
DsaTest: testKeyGeneration |
Allows invalid DH public key |
Daniel Bleichenbacher |
CVE-2016-1000346 |
|
DhTest: incomplete |
DSA timing attacks |
Daniel Bleichenbacher |
CVE-2016-1000341 |
|
DsaTest: testTiming |
GCM Wrapped Around Counter |
Quan Nguyen |
CVE-2015-6644 |
Nexus Security Bullentin Jan 2016 |
AesGcmTest: testWrappedAroundCounter |
Package Go JOSE (https://github.com/square/go-jose)
Summary |
Credits |
CVE |
Upstream Acknowledgement |
Tests |
ECDH Invalid Curve Attack |
Quan Nguyen |
CVE-2016-9121 |
$5500 total by Square Inc. for all bugs |
To be released |
Multiple signatures, auth bypass |
Quan Nguyen |
CVE-2016-9122 |
|
To be released |
Integer overflow, HMAC bypass |
Quan Nguyen |
CVE-2016-9123 |
|
To be released |
Accepts embedded HMAC key |
Quan Nguyen |
N/A |
|
To be released |
Package Go crypto
Summary |
Credits |
CVE |
Upstream Acknowledgement |
Tests |
GCM wrapped around counter |
Quan Nguyen |
N/A |
goo.gl/OdhZcY |
|
P-384 and P-521 ScalarMult DoS |
Daniel Bleichenbacher, Harris Baskaran |
CVE-2019-6486 |
golang/go#29903 |
ecdh_secp384r1_test.json, ecdh_secp521r1_test.json |
Package Nimbus JOSE+JWT (https://connect2id.com/products/nimbus-jose-jwt)
Summary |
Credits |
CVE |
Upstream Acknowledgement |
Tests |
CBC-HMAC is vulnerable to padding oracle attack |
Quan Nguyen |
N/A |
https://goo.gl/ACZQeI |
To be released |
CBC-HMAC integer overflow, HMAC bypass |
Quan Nguyen |
N/A |
https://goo.gl/ACZQeI |
To be released |
Package OpenSSL
Summary |
Credits |
CVE |
Upstream Acknowledgement |
Tests |
X25519 incorrect carry handling |
Alex Gaynor and Paul Kehrer |
N/A |
https://github.com/openssl/openssl/issues/6687 |
|
Ed25519 malleable signatures |
Paul Kehrer and Alex Gaynor |
N/A |
https://github.com/openssl/openssl/issues/7693 |
|
Package LibreSSL
Summary |
Credits |
CVE |
Upstream Acknowledgement |
Tests |
Overly lax RSA PKCS1v1.5 parsing |
Alex Gaynor and Paul Kehrer |
N/A |
link |
|