Vulnerability Description
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bouncycastle | Bc-Java | 1.65 |
| Apache | Karaf | 4.3.2 |
| Oracle | Banking Corporate Lending Process Management | 14.2.0 |
| Oracle | Banking Credit Facilities Process Management | 14.2.0 |
| Oracle | Banking Extensibility Workbench | 14.2.0 |
| Oracle | Banking Supply Chain Finance | 14.2.0 |
| Oracle | Banking Virtual Account Management | 14.2.0 |
| Oracle | Blockchain Platform | < 21.1.2 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Application Session Controller | 3.9m0p3 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.2.1 |
| Oracle | Communications Convergence | 3.0.2.2.0 |
| Oracle | Communications Pricing Design Center | 12.0.0.3.0 |
| Oracle | Communications Session Report Manager | >= 8.0.0, <= 8.2.4.0 |
| Oracle | Communications Session Route Manager | >= 8.2.0, <= 8.2.4 |
| Oracle | Jd Edwards Enterpriseone Tools | <= 9.2.5.3 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.56 |
| Oracle | Utilities Framework | 4.3.0.6.0 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
| Oracle | Communications Messaging Server | 8.0.2 |
References
- https://github.com/bcgit/bc-java/wiki/CVE-2020-28052MitigationPatchThird Party Advisory
- https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c2520
- https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b1
- https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099
- https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e3
- https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdf
- https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab645121
- https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907b
- https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf3
- https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b
- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6
- https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87
- https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb600869
- https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94
- https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6
FAQ
What is CVE-2020-28052?
CVE-2020-28052 is a vulnerability with a CVSS score of 8.1 (HIGH). An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect pass...
How severe is CVE-2020-28052?
CVE-2020-28052 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-28052?
Check the references section above for vendor advisories and patch information. Affected products include: Bouncycastle Bc-Java, Apache Karaf, Oracle Banking Corporate Lending Process Management, Oracle Banking Credit Facilities Process Management, Oracle Banking Extensibility Workbench.