# Bugs found by Project Wycheproof See [list of issues](issues.md) for details. ## Package OpenJDK | Summary | Credits | CVE | Upstream Acknowledgement | Tests | |:---------------------------: |:--------------------------:|:-----------------:|:--------------------------------------: |:---------------------------------------: | Biased DSA, leaks signing key | Daniel Bleichenbacher |CVE-2016-0695 | Oracle Critical Patch Update April 2016 | DsaTest: testDsaBias, testBiasSha1WithDSA | | GCM's timing attack, leaks auth key | Quan Nguyen |CVE-2016-3426 | Oracle Critical Patch Update April 2016 | N/A | | GCM updateAAD | Quan nguyen | N/A | Oracle Critical Patch Update April 2016 | AesGcmTest: testLateUpdateAAD | | GCM wrapped around counter, leaks auth key | Quan Nguyen | N/A | Oracle Critical Patch Update April 2016 | AesGcmTest: testWrappedAroundCounter | | DSA ArrayIndexOutOfBoundsException | Daniel Bleichenbacher | CVE-2016-5546 | Oracle Critical Patch Update Jan 2017 | DsaTest: testInvalidSignatures | | RSA OutOfMemoryError | Daniel Bleichenbacher | CVE-2016-5547 | Oracle Critical Patch Update Jan 2017 | RsaSignatureTest: testVectors | | DSA accepts modified signatures | Daniel Bleichenbacher | CVE-2016-5546 | Oracle Critical Patch Update Jan 2017 | DsaTest: testModifiedSignatures | | DSA Timing Attack | Daniel Bleichenbacher | CVE-2016-5548 | Oracle Critical Patch Update Jan 2017 | DsaTest: testTiming | | ECDSA accepts modified signatures| Daniel Bleichenbacher | CVE-2016-5546 | Oracle Critical Patch Update Jan 2017 | EcdsaTest: testModifiedSignatures | | ECDSA Timing Attack | Daniel Bleichenbacher | CVE-2016-5549 | Oracle Critical Patch Update Jan 2017 | EcdsaTest: testTiming | | Biased ECDSA | Daniel Bleichenbacher | | | Ecdsa: testBias | ## Package Conscrypt | Summary | Credits | CVE | Upstream Acknowledgement | Tests | |:---------------------------: |:--------------------------:|:-----------------:|:--------------------------------------: |:---------------------------------------: | ECDH Invalid Curve Attack | Daniel Bleichenbacher | N/A | | EcdhTest: multiple tests | | GCM IV reuse | Daniel Bleichenbacher | N/A | | AesGcmTest: testIvReuse | | GCM weak default tag length | Quan Nguyen | N/A | | AesGcmTest: testDefaultTagSizeIvParameterSpec | ## Package BouncyCastle v1.55 and older | Summary | Credits | CVE | Upstream Acknowledgement | Tests | |:---------------------------: |:--------------------------:|:-----------------:|:--------------------------------------: |:---------------------------------------: | v1.55 ECDH upstream fix was incomplete | Daniel Bleichenbacher | N/A | | Ecdh: multiple tests | | ECDHC Invalid curve attack | Daniel Bleichenbacher | N/A | | EcdhTest: testModifiedPublic,testModifiedPublicSpec, testWrongOrder | | v1.55 PKCS #1 RSA is more vulnerable to CCA attack | Daniel Bleichenbacher | N/A | | RsaTest: testExceptions | | Dhies uses unsafe ECB mode | Daniel Bleichenbacher | CVE-2016-1000344 | | DhiesTest | | ECIES use unsafe ECB mode by default for "ECIESWithAES" or "ECIESwithDESede" | Daniel Bleichenbacher | CVE-2016-1000352 | | EciesTest: testNotEcb, testDefaultEcies| | 1.52 ECIESWithAES-CBC is vulnerable to padding oracle attack | Daniel Bleichenbacher | CVE-2016-1000345 | | EciesTest: testExceptions | | GCM reuses IV after doFinal() | Daniel Bleichenbacher | N/A | | | | ECDSA accepts invalid signatures | Daniel Bleichenbacher | CVE-2016-1000342 | | EcdsaTest: testModifiedSignatures | | DSA accepts invalid signatures | Daniel Bleichenbacher | CVE-2016-1000338 | | DsaTest: testModifiedsignatures | | DSA generates weak key | Daniel Bleichenbacher | CVE-2016-1000343 | | DsaTest: testKeyGeneration | | Allows invalid DH public key | Daniel Bleichenbacher | CVE-2016-1000346 | | DhTest: incomplete | | DSA timing attacks | Daniel Bleichenbacher | CVE-2016-1000341 | | DsaTest: testTiming | | GCM Wrapped Around Counter | Quan Nguyen | CVE-2015-6644 | Nexus Security Bullentin Jan 2016 | AesGcmTest: testWrappedAroundCounter | ## Package Go JOSE (https://github.com/square/go-jose) | Summary | Credits | CVE | Upstream Acknowledgement | Tests | |:---------------------------: |:--------------------------:|:-----------------:|:--------------------------------------: |:---------------------------------------: | ECDH Invalid Curve Attack | Quan Nguyen | CVE-2016-9121 | $5500 total by Square Inc. for all bugs | To be released | | Multiple signatures, auth bypass | Quan Nguyen | CVE-2016-9122 | | To be released | | Integer overflow, HMAC bypass | Quan Nguyen | CVE-2016-9123 | | To be released | | Accepts embedded HMAC key | Quan Nguyen | N/A | | To be released | ## Package Go crypto | Summary | Credits | CVE | Upstream Acknowledgement | Tests | |:---------------------------: |:--------------------------:|:-----------------:|:--------------------------------------: |:---------------------------------------: | GCM wrapped around counter | Quan Nguyen | N/A | goo.gl/OdhZcY | | P-384 and P-521 ScalarMult DoS | Daniel Bleichenbacher, Harris Baskaran | CVE-2019-6486 | [golang/go#29903](https://github.com/golang/go/issues/29903) | ecdh_secp384r1_test.json, ecdh_secp521r1_test.json | ## Package Nimbus JOSE+JWT (https://connect2id.com/products/nimbus-jose-jwt) | Summary | Credits | CVE | Upstream Acknowledgement | Tests | |:---------------------------: |:--------------------------:|:-----------------:|:--------------------------------------: |:---------------------------------------: | CBC-HMAC is vulnerable to padding oracle attack | Quan Nguyen | N/A | https://goo.gl/ACZQeI | To be released | CBC-HMAC integer overflow, HMAC bypass | Quan Nguyen | N/A | https://goo.gl/ACZQeI | To be released ## Package OpenSSL | Summary | Credits | CVE | Upstream Acknowledgement | Tests | |:---------------------------: |:--------------------------:|:-----------------:|:--------------------------------------: |:---------------------------------------: | X25519 incorrect carry handling | Alex Gaynor and Paul Kehrer | N/A | https://github.com/openssl/openssl/issues/6687 | | Ed25519 malleable signatures | Paul Kehrer and Alex Gaynor | N/A | https://github.com/openssl/openssl/issues/7693 | ## Package LibreSSL | Summary | Credits | CVE | Upstream Acknowledgement | Tests | |:---------------------------: |:--------------------------:|:-----------------:|:--------------------------------------: |:---------------------------------------: | Overly lax RSA PKCS1v1.5 parsing | Alex Gaynor and Paul Kehrer | N/A | [link](https://github.com/openbsd/src/commit/4698a0ba0d5547fce37134cb00f204c68f429885#diff-8c6377c3026df41da690063739326043) |