Home > Vulnerability Database > CVE-2016-1000338

Mend.io Vulnerability Database

CVE-2016-1000338

Good to know:

Date: May 31, 2018

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Language: Java

Severity Score

7.5

Related Resources (15)

Url: https://access.redhat.com/errata/RHSA-2018:2927

Url: https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2018:2669

Url: https://www.oracle.com/security-alerts/cpuoct2020.html

Url: https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html

Url: https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

Url: https://security.netapp.com/advisory/ntap-20231006-0011/

Url: https://github.com/bcgit/bc-java

Url: https://usn.ubuntu.com/3727-1/

Url: https://usn.ubuntu.com/3727-1

Url: https://security.netapp.com/advisory/ntap-20231006-0011

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-1000338

Url: https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0

Url: https://github.com/advisories/GHSA-4vhj-98r6-424h

Url: https://www.mend.io/vulnerability-database/CVE-2016-1000338

Severity Score

7.5

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

Top Fix

Upgrade Version

Upgrade to version muhammettotan/phpjasper - no_fix;cossou/jasperphp - dev-development;cossou/jasperphp - no_fix;cossou/jasperphp - v1.0.0;smart145/phpjasper - 3.3.2;smart145/phpjasper - 3.3.0;smart145/phpjasper - dev-add-missing;smart145/phpjasper - v1.0;smart145/phpjasper - 3.0.1;smart145/phpjasper - dev-century_gothic_font;smart145/phpjasper - dev-master;smart145/phpjasper - no_fix;dstecnologias/phpjasper - no_fix;chrmorandi/yii2-jasper - v0.5.0;pyreportjasper - no_fix;rdpascua/jasperstarter - no_fix;rdpascua/jasperstarter - dev-master;rdpascua/jasperstarter - 3.5.0;geekcom/phpjasper - no_fix;geekcom/phpjasper - v1.0;lopezsoft/jasperphp - v2.9.3;cromwell - 0.32;erw/phpjasperstarter - no_fix;iziedev/signer - 0.1.0-beta;iziedev/signer - no_fix;xidmonx/jasperphp - dev-development;xidmonx/jasperphp - 2.7.0;xidmonx/jasperphp - v1.0.0;xidmonx/jasperphp - no_fix;fgbio - 0.4.0;fgbio - 0.2.0;nealis/jasperphp - no_fix;minkbear/phpjasper - v1.0;minkbear/phpjasper - no_fix;davidecaruso/jasper-php - no_fix;davidecaruso/jasper-php - v1.0.0;ziack/jasperphp - 2.8.0;ziack/jasperphp - no_fix;existdb - 4.4.0;existdb - 4.7.0;jheferson-br/phpjasper - no_fix;geekcom/phpjasper-laravel - no_fix;stradaaccellog/phpjasper - v1.0;anshul-netgen/jasper-report - no_fix;drsoft/laraveljasper - no_fix;smartman/swedbank-gateway - no_fix;salesfusion/reporter - 1.1.4;a.ambrogini/phpjasper - no_fix;a.ambrogini/phpjasper - v1.0;pantools - 2.0.0;eihen/jasperstarter-bin - v3.4.1.0;penblu/jasperphp - no_fix;starkliew/jasperphp - no_fix;starkliew/jasperphp - v1.0.0;pyspark - 2.3.0;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:1.0.0.redhat-412;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:1.2.0.redhat-133;io.fabric8:tooling-jclouds-all:1.1.0.Beta1;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:1.2.0.redhat-133;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;io.fabric8:tooling-jclouds-all:no_fix;org.apache.cxf.services.xkms:cxf-services-xkms-war:3.1.6;org.apache.cxf.services.xkms:cxf-services-xkms-war:3.1.6;org.apache.cxf.services.xkms:cxf-services-xkms-war:3.1.6;org.apache.cxf.services.xkms:cxf-services-xkms-war:3.1.6;org.apache.cxf.services.xkms:cxf-services-xkms-war:3.1.6;org.apache.servicemix.bundles:org.apache.servicemix.bundles.bcprov-jdk15on:1.55_1;org.apache.servicemix.bundles:org.apache.servicemix.bundles.bcprov-jdk15on:1.56_1;org.apache.camel:camel-example-spring-boot:2.17.1;org.apache.camel:camel-example-spring-boot:2.17.1;org.apache.camel:camel-example-spring-boot:2.17.1;org.apache.karaf.demos:web:2.3.1;org.apache.karaf.demos:web:2.3.1;org.bouncycastle:bcprov-debug-jdk15on:1.56;org.bouncycastle:bcprov-jdk15on:1.48;org.bouncycastle:bcprov-jdk15on:1.56;org.bouncycastle:bcprov-debug-jdk14:1.59;io.syndesis.server:server-runtime:1.3.5;org.apache.cxf.services.sts:cxf-services-sts-war:3.1.6;org.bouncycastle:bcprov-jdk14:1.56;org.bouncycastle:bcprov-ext-jdk14:1.56;org.bouncycastle:bcprov-ext-jdk15on:1.56;org.bouncycastle:bcprov-ext-debug-jdk15on:1.56

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-1000338

Good to know:

Date: May 31, 2018

Language: Java

Severity Score

Related Resources (15)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?