CVE-2020-28052 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	No
Type	Authentication bypass
Description	An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1372	bcprov	1.66-1	1.67-1	High	Fixed	FS#69025

References
https://github.com/bcgit/bc-java/wiki/CVE-2020-28052 https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/ https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219

References

https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219

Notes
Workaround ========== If you have to use either BC 1.65 or BC 1.66 and you need to do password checking for OpenBSDBcrypt use the code given in the doCheckPassword() method in: https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java It's a static method - the code can be copied into your own utility class without issue.

Notes

Workaround
==========

If you have to use either BC 1.65 or BC 1.66 and you need to do password checking for OpenBSDBcrypt use the code given in the doCheckPassword() method in:

https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java

It's a static method - the code can be copied into your own utility class without issue.