{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-09-15T00:00:00", "descriptions": [{"lang": "en", "value": "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-15T21:06:39", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2016:2035", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"name": "79091", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/79091"}, {"name": "openSUSE-SU-2015:1911", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html"}, {"name": "FEDORA-2015-7d95466eda", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"}, {"name": "RHSA-2016:2036", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"name": "USN-3727-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3727-1/"}, {"name": "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/10/22/9"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"name": "1037036", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037036"}, {"name": "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/10/22/7"}, {"name": "DSA-3417", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3417"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}, {"tags": ["x_refsource_MISC"], "url": "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html"}, {"name": "1037046", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037046"}, {"name": "1037053", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037053"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-7940", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2016:2035", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", "refsource": "CONFIRM", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"name": "79091", "refsource": "BID", "url": "http://www.securityfocus.com/bid/79091"}, {"name": "openSUSE-SU-2015:1911", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html"}, {"name": "FEDORA-2015-7d95466eda", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"}, {"name": "RHSA-2016:2036", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"name": "USN-3727-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3727-1/"}, {"name": "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/22/9"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"name": "1037036", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037036"}, {"name": "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/22/7"}, {"name": "DSA-3417", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3417"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}, {"name": "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", "refsource": "MISC", "url": "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html"}, {"name": "1037046", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037046"}, {"name": "1037053", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037053"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:06:30.850Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2016:2035", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"name": "79091", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/79091"}, {"name": "openSUSE-SU-2015:1911", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html"}, {"name": "FEDORA-2015-7d95466eda", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"}, {"name": "RHSA-2016:2036", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"name": "USN-3727-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3727-1/"}, {"name": "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/10/22/9"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"name": "1037036", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037036"}, {"name": "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/10/22/7"}, {"name": "DSA-3417", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3417"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html"}, {"name": "1037046", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037046"}, {"name": "1037053", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037053"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-7940", "datePublished": "2015-11-09T16:00:00", "dateReserved": "2015-10-22T00:00:00", "dateUpdated": "2024-08-06T08:06:30.850Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F13E5A4-3B59-4F36-9876-1824D17B792F", "versionEndIncluding": "1.50", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "E3DDC0DF-B134-4168-8A29-5002305C1167", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "62E818A9-663D-4AFB-B3D6-686CE4DB9676", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "17EA8B91-7634-4636-B647-1049BA7CA088", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "BA2CF507-AA3F-464C-88DF-71E30672E623", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "BE12B6A4-E128-41EC-8017-558F50B961BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.54:*:*:*:*:*:*:*", "matchCriteriaId": "CDD82442-3535-4BB9-8888-F61A35B900AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*", "matchCriteriaId": "45CB30A1-B2C9-4BF5-B510-1F2F18B60C64", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:virtual_desktop_infrastructure:3.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "89E7F3DD-4137-4613-A4CC-26DB2FFF2871", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\""}, {"lang": "es", "value": "La librer\u00eda Bouncy Castle Java en versiones anteriores a 1.51 no valida un punto que se encuentra dentro de la curva el\u00edptica, lo que facilita a atacantes remotos obtener claves privadas a trav\u00e9s de una serie de intercambios de clave de curva el\u00edptica Diffie Hellman (ECDH) manipulados, tambi\u00e9n conocida como un 'ataque de curva no v\u00e1lida'."}], "id": "CVE-2015-7940", "lastModified": "2019-01-16T19:29:07.343", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-11-09T16:59:09.277", "references": [{"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"}, {"source": "cve@mitre.org", "tags": ["Technical Description"], "url": "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2015/dsa-3417"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.openwall.com/lists/oss-security/2015/10/22/7"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.openwall.com/lists/oss-security/2015/10/22/9"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/79091"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1037036"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1037046"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1037053"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/3727-1/"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2016:2036", "cpe": "cpe:/a:redhat:jboss_amq:6.3", "product_name": "Red Hat JBoss A-MQ 6.3", "release_date": "2016-10-06T00:00:00Z"}, {"advisory": "RHSA-2016:2035", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "product_name": "Red Hat JBoss Fuse 6.3", "release_date": "2016-10-06T00:00:00Z"}], "bugzilla": {"description": "bouncycastle: Invalid curve attack allowing to extract private keys", "id": "1276272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1276272"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-358", "details": ["The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", "It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries."], "name": "CVE-2015-7940", "package_state": [{"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Affected", "package_name": "fabric8", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Affected", "package_name": "fabric8", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "package_name": "bouncycastle", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "bouncycastle", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2015-09-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-7940\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-7940"], "threat_severity": "Moderate", "upstream_fix": "bouncycastle 1.51"}