Vulnerability Description
EMC RSA BSAFE Crypto-J versions prior to 6.2.2 has a PKCS#12 Timing Attack Vulnerability. A possible timing attack could be carried out by modifying a PKCS#12 file that has an integrity MAC for which the password is not known. An attacker could then feed the modified PKCS#12 file to the toolkit and guess the current MAC one byte at a time. This is possible because Crypto-J uses a non-constant-time method to compare the stored MAC with the calculated MAC. This vulnerability is similar to the issue described in CVE-2015-2601.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dell | Bsafe Crypto-J | < 6.2.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/archive/1/540066/30/0/threadedMailing ListThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/95831Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037732Third Party AdvisoryVDB Entry
- http://www.securityfocus.com/archive/1/540066/30/0/threadedMailing ListThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/95831Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037732Third Party AdvisoryVDB Entry
FAQ
What is CVE-2016-8217?
CVE-2016-8217 is a vulnerability with a CVSS score of 3.7 (LOW). EMC RSA BSAFE Crypto-J versions prior to 6.2.2 has a PKCS#12 Timing Attack Vulnerability. A possible timing attack could be carried out by modifying a PKCS#12 file that has an integrity MAC for which ...
How severe is CVE-2016-8217?
CVE-2016-8217 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-8217?
Check the references section above for vendor advisories and patch information. Affected products include: Dell Bsafe Crypto-J.