Miggo Logo

CVE-2020-15522: Timing based private key exposure in Bouncy Castle

5.1

CVSS Score
3.1

Basic Information

EPSS Score
0.62412%
Published
8/13/2021
Updated
5/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.bouncycastle:bc-fipsmaven<= 1.0.21.0.2.1
org.bouncycastle:bcprov-ext-jdk15onmaven< 1.661.66
org.bouncycastle:bcprov-ext-jdk16maven< 1.661.66
org.bouncycastle:bcprov-jdk14maven< 1.661.66
org.bouncycastle:bcprov-jdk15maven< 1.661.66
org.bouncycastle:bcprov-jdk15onmaven< 1.661.66
org.bouncycastle:bcprov-jdk15to18maven< 1.661.66
org.bouncycastle:bcprov-jdk16maven< 1.661.66
BouncyCastlenuget< 1.8.71.8.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from non-constant-time implementation of EC scalar multiplication in deterministic ECDSA. The Bouncy Castle wiki explicitly references ECPoint.implShamirsTrickWNaf as the location where blinding was added to mitigate timing attacks. This method is critical for signature generation and would appear in profiler traces during cryptographic operations. The lack of blinding in vulnerable versions made execution time dependent on private key bits, enabling side-channel analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oun*y **stl* ** J*v* ***or* *.**, ** *# .N*T ***or* *.*.*, **-*J* ***or* *.*.*.*, ** ***or* *.**, **-*N* ***or* *.*.*.* **v* * timin* issu* wit*in t** ** m*t* li*r*ry t**t **n *xpos* in*orm*tion **out t** priv*t* k*y w**n *n *tt**k*r is **l* to o*s*

Reasoning

T** vuln*r**ility st*ms *rom non-*onst*nt-tim* impl*m*nt*tion o* ** s**l*r multipli**tion in **t*rministi* ***S*. T** *oun*y **stl* wiki *xpli*itly r***r*n**s `**Point.implS**mirsTri*kWN**` *s t** lo**tion w**r* *lin*in* w*s ***** to miti**t* timin*