CVE-2020-28052 - log back

CVE-2020-28052 edited at 18 Dec 2020 14:08:54
Severity
- Unknown
+ High
Remote
- Unknown
+ Local
Type
- Unknown
+ Authentication bypass
Description
+ An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
References
+ https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
+ https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
+ https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219
Notes
+ Workaround
+ ==========
+
+ If you have to use either BC 1.65 or BC 1.66 and you need to do password checking for OpenBSDBcrypt use the code given in the doCheckPassword() method in:
+
+ https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java
+
+ It's a static method - the code can be copied into your own utility class without issue.
CVE-2020-28052 created at 18 Dec 2020 14:04:51