An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
https://github.com/bcgit/bc-java/wiki/CVE-2020-28052 https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/ https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219
Workaround ========== If you have to use either BC 1.65 or BC 1.66 and you need to do password checking for OpenBSDBcrypt use the code given in the doCheckPassword() method in: https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java It's a static method - the code can be copied into your own utility class without issue.
Vulmon