Severity |
|
Remote |
|
Type |
- |
Unknown |
+ |
Authentication bypass |
|
Description |
+ |
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. |
|
References |
+ |
https://github.com/bcgit/bc-java/wiki/CVE-2020-28052 |
+ |
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/ |
+ |
https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219 |
|
Notes |
+ |
Workaround |
+ |
========== |
+ |
|
+ |
If you have to use either BC 1.65 or BC 1.66 and you need to do password checking for OpenBSDBcrypt use the code given in the doCheckPassword() method in: |
+ |
|
+ |
https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java |
+ |
|
+ |
It's a static method - the code can be copied into your own utility class without issue. |
|