[Japanese]

JVNDB-2015-000033

Vulnerability in the jBCrypt key stretching process

Overview

jBCrypt is a Java implementation to compute password hashes. jBCrypt contains an integer overflow vulnerability in the key stretching process. An integer overflow occurs when the parameter for the repetition count is set to the maximum value allowed, 31.

Norito AGETSUMA reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

This analysis assumes that a remote attacker obtains the hash value through the network.
Affected Products


mindrot.org
  • jBCrypt -0.3 and earlier

Impact

When the hash value for a password is obtained by a remote attacker, a brute force attack may be used to easily recover the password.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

mindrot.org
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-0886
References

  1. JVN : JVN#77718330
  2. National Vulnerability Database (NVD) : CVE-2015-0886
  3. Related document : OpenSSH: Bugs ([Bug 2097] if gensalt's log_rounds parameter is set to 31 it does 0 (ZERO) rounds!)
Revision History

[2015/02/27]
  Web page was published
[2015/03/03]
  References : Content was added