CVE-2015-7940 has been reported for Bouncy Castle libraries prior to 1.51
Article ID: KB0092814
Updated On:
| Products | Versions |
|---|---|
| TIBCO Slingshot | - |
| Not Applicable | - |
Description
Description:
CVE-2015-7940 has been reported for Bouncy Castle libraries prior to 1.51. MFT ships Bouncy Castle V1.47. Follow the instructions below to remove Bouncy Castle as an Elliptical Curve Provider.
Slingshot v1.9.4 and below
Slingshot adds the Bouncy Castle libraries to the java.security file that defines security providers. Because the Bouncy Castle provider is installed above the SunEC provider, Java will use the Bouncy Castle provider for Elliptical Curve encryption. To remove Bouncy Castle as the Elliptical Curve encryption provider, follow the instructions below::
Resolution:
: Make sure that you are running JAVA Server JRE or JDK 1.7 or 1.8
: Edit file: JAVA_HOME/jre/lib/security/java.security
: Move the following line from line 3 to the last provider entry.
security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
: Make sure to renumber the entries in the java.security.file
: Restart the Slingshot Server
For Oracle Java, make sure that the "sun.security.ec.SunEC" provider is defined
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Issue/Introduction
CVE-2015-7940 has been reported for Bouncy Castle libraries prior to 1.51
Feedback
Yes
No
Powered by
