CVE-2015-7940 has been reported for Bouncy Castle libraries prior to 1.51

CVE-2015-7940 has been reported for Bouncy Castle libraries prior to 1.51

book

Article ID: KB0092944

calendar_today

Updated On:

Products Versions
TIBCO Managed File Transfer Internet Server -
TIBCO Managed File Transfer Command Center -
Not Applicable -

Description

Description:
CVE-2015-7940 has been reported for Bouncy Castle libraries prior to 1.51.  MFT ships Bouncy Castle V1.47.  Follow the instructions below to remove Bouncy Castle as an Elliptical Curve Provider.  

MFT Internet Server below v7.3.0 and MFT Command Center below v7.3.0
MFT adds the Bouncy Castle libraries to the java.security file that defines security providers.  Because the Bouncy Castle provider is installed above the SunEC provider, Java will use the Bouncy Castle provider for Elliptical Curve encryption.  To remove Bouncy Castle as the Elliptical Curve encryption provider, follow the instructions below::

Resolution:
Upgrade to MFT Internet Server and Command Center 7.3.0
or
: Make sure that you are running JAVA Server JRE or JDK 1.7 or 1.8 
: Edit file: JAVA_HOME/jre/lib/security/java.security
: Move the following line from line 3 to the last provider entry.
security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
: Make sure to renumber the entries in the java.security.file
: Restart the MFT Server
For Oracle Java, make sure that the "sun.security.ec.SunEC" provider is defined


CVE-2015-7940
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."

Issue/Introduction

CVE-2015-7940 has been reported for Bouncy Castle libraries prior to 1.51
Powered by Wolken Software