CVE 2020 28052: Bouncy Castle vulnerability

book

Article ID: 208455

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

 

A scan has brought up a vulnerability. The bouncycastle library is affected, contained in com.wily.introscope.em.client14.jar.

Details from scanning tool:

Vulnerability Id:
CVE-2020-28052
 
Description:
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
References:
 
 
Filename:
bcprov-jdk15on.jar
 
Origin:
Dependency contains vulnerable code
Programming constructs of the change list of the OSS patch
Revisions fixing the vulnerability:
97578f9b7ed277e6ecb58834e85e3d18385a4219
 
 

Environment

Release : 10.7.0

Component : Introscope

Resolution

 
 

Bouncy castle library updated to version 1.67 in EM in 10.7 HF78.