Search for vulnerabilities
Vulnerability details: VCID-t93j-7vrc-affy
Vulnerability ID VCID-t93j-7vrc-affy
Aliases CVE-2016-1000339
GHSA-c8xf-m4ff-jcxj
Summary In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-310 Cryptographic Issues
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
cvssv3.1 5.3 https://access.redhat.com/errata/RHSA-2018:2669
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:2669
cvssv3.1 5.3 https://access.redhat.com/errata/RHSA-2018:2927
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:2927
cvssv3 5.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000339.json
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
epss 0.01707 https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
cvssv3.1 5.3 https://github.com/advisories/GHSA-c8xf-m4ff-jcxj
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-c8xf-m4ff-jcxj
generic_textual MODERATE https://github.com/advisories/GHSA-c8xf-m4ff-jcxj
cvssv3.1 5.3 https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0
generic_textual MODERATE https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0
cvssv3.1 5.3 https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2
generic_textual MODERATE https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2
cvssv3.1 5.3 https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2016-1000339
cvssv3 5.3 https://nvd.nist.gov/vuln/detail/CVE-2016-1000339
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2016-1000339
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2016-1000339
cvssv3.1 5.3 https://security.netapp.com/advisory/ntap-20181127-0004
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20181127-0004
cvssv3.1 5.3 https://usn.ubuntu.com/3727-1
generic_textual MODERATE https://usn.ubuntu.com/3727-1
cvssv3.1 5.3 https://www.oracle.com/security-alerts/cpuoct2020.html
generic_textual MODERATE https://www.oracle.com/security-alerts/cpuoct2020.html
Reference id Reference type URL
https://access.redhat.com/errata/RHSA-2018:2669
https://access.redhat.com/errata/RHSA-2018:2927
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000339.json
https://api.first.org/data/v1/epss?cve=CVE-2016-1000339
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339
https://github.com/advisories/GHSA-c8xf-m4ff-jcxj
https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b
https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0
https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2
https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
https://nvd.nist.gov/vuln/detail/CVE-2016-1000339
https://security.netapp.com/advisory/ntap-20181127-0004
https://security.netapp.com/advisory/ntap-20181127-0004/
https://usn.ubuntu.com/3727-1
https://www.oracle.com/security-alerts/cpuoct2020.html
1588695 https://bugzilla.redhat.com/show_bug.cgi?id=1588695
cpe:2.3:a:bouncycastle:bc-java:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:bouncycastle:bc-java:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
USN-3727-1 https://usn.ubuntu.com/3727-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:2669
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:2927
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000339.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/advisories/GHSA-c8xf-m4ff-jcxj
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-1000339
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-1000339
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-1000339
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20181127-0004
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://usn.ubuntu.com/3727-1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://www.oracle.com/security-alerts/cpuoct2020.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.81548
EPSS Score 0.01707
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T07:58:47.388349+00:00 ProjectKB MSRImporter Import https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv 37.0.0