CVE-2016-1000338

Published Jun 1, 2018
·
Updated

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Affected Software

10 affected componentsFixes available
redhat/bouncycastle<1.56
1.56
maven/org.bouncycastle:bcprov-jdk15>=1.38<1.56
1.56
maven/org.bouncycastle:bcprov-jdk14>=1.38<1.56
1.56
bouncycastle Legion-of-the-bouncy-castle-java-crytography-api<=1.55
bouncycastle Legion-of-the-bouncy-castle-java-crytography-api>=1.38<1.56
redhat Satellite=6.4
redhat Satellite Capsule=6.4
Canonical Ubuntu Linux=14.04
NetApp 7-Mode Transition Tool
debian/bouncycastle
1.68-21.72-21.80-3

Remediation

Patch Available

https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0

Event History

Jun 1, 2018
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Oct 17, 2018
Advisory Published
via GitHub·04:23 PM
Feb 18, 2026
Data Sourced
via Ubuntu·11:29 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Launchpad·11:30 PM
Description
Mar 12, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2016-1000338?

The severity of CVE-2016-1000338 is high, with a CVSS score of 7.5.

2

How does CVE-2016-1000338 affect Bouncy Castle JCE Provider?

CVE-2016-1000338 affects Bouncy Castle JCE Provider versions 1.55 and earlier.

3

What is the impact of CVE-2016-1000338?

The impact of CVE-2016-1000338 is that it could provide weaker than expected security due to improper validation of ASN.1 encoding, allowing the injection of extra elements in the signature.

4

How can I fix CVE-2016-1000338?

To fix CVE-2016-1000338, update Bouncy Castle JCE Provider to version 1.56 or later.

5

Are there any references for more information about CVE-2016-1000338?

Yes, you can find more information about CVE-2016-1000338 at the following references: - NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-1000338 - GitHub Commit: https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0 - Red Hat Advisory: https://access.redhat.com/errata/RHSA-2018:2669

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203